Many users take messaging app security for granted when sending text messages, voice messages, photos, and videos. However, not all apps secure messaging data equally. This is a concern for both organizations and individuals who wish to ensure the confidentiality, integrity, and authenticity of information transferred between authorized users.
Elements of Messaging Security
Messaging app security has many facets, each of which are of importance to achieving data security.
Encryption scrambles data into an unreadable format that is sent to its intended recipient to protect data. The encrypted data is then decyrpted into its original intelligible format when received. To accomplish this encryption keys are shared between the sender and the recipient.
There are various types of encryption and decryption used, some are more secure, some less. The two major types used today are symmetric and asymmetric encryption. Symmetric encryption uses a single key for data transfer. Asymmetric encryption, the stronger of the two, uses two keys, a public key that is shared between users to scramble data and a private key which is not shared to return the data into its original format.
Some messaging apps require a password to protect information. This adds another layer of security should a device is lost or stolen.
Multi-factor identification has become a common feature for enterprise security management. This provides assurance that access is open only to authorized parties.
Many apps have the capability to destroy messages automatically after a determined amount of time. This feature although included in an app may require activation in its settings. Here again this feature can provide an additional layer of security if a device is stolen or lost.
Message deletion functionality can vary greatly across app providers. Some apps such as Signal and Telegram allows users to delete messages on both sides of a conversation. Others such as Apple iMessage only allow deletion of messages from one devices. Additionally, iMessage only allows deletion of entire chats, not a single message.
Many providers of messaging apps collect a user’s metadata. Metadata is in essence data about data. This data can include names, numbers, email addresses, timestamp data, source, and destination information.
Many providers of apps such as Google Messages profit by selling metadata to other companies. Other providers such as Signal, Threema, and Session encrypt metadata to protect it from external viewers.
This data can also be accessed by other organizations such as the Federal Bureau of Investigation (FBI). While FBI access may be a reason for concern, this data cannot be obtained without a warrant or subpoena.
Protection Against External Attack
As with other forms of electronic data transfer, messaging app security is subject to malware, viruses, and phishing. Once a device is compromised by these attacks other devices or networks sharing information can be effected. Apps selected for use should be resilient to attacks and possibly be supplemented by malware apps.
Open Source Code
Much has been written about the value of applications that are have publicly available source code. These platforms are generally considered to be more reliable because they are open to peer reviews from security experts. This creates an increased level of trust in that users can have a higher expectation that vulnerabilities and hidden backdoors do not exist in the product.
This is a major consideration when choosing a messaging app as many popular apps use closed source code. These include Google, Apple, Facebook, and Skype. Providers that do use open source include Signal, Threema, Wire, and Session.
While video is not generally associated with messaging, there are video messaging apps. Video calls however are widely used and can expose far more personal data than a text message. Many apps do not provide end to end encryption. If video messaging is desirable and privacy a concern, Wire is an open source provider that encrypts data.
Special Concerns for Organizations
Employee data access often can cross lines between business and personal usage. Where the protection of sensitive data is concerned it is important that organizations protect devices by blocking unapproved apps and communicating to employees the inherent risks through policies, guidelines, and education.
It is also important to realize that controls that prevent data breech such as encryption can also prevent cyber security controls from detecting data loss or leakage. Policies and controls in place in an Information Security Management System (ISMS) should take these risks into consideration.
No system is stronger than its weakest link and all too often that link is the human operating a device. Again and again organizations have fallen prey to the least sophisticated scams and suffered severe data breeches. Continual education of people at all levels should re enforce best practices such as not using public Wi-Fi, sending sensitive information over messaging apps, clicking on links on messages, and keeping devices secured.
There are numerous options when selecting an appropriate app for an organization’s messaging needs. While product reviews can be helpful in making these selections it is important to remember to check that the desired security features are enabled in the system settings.
Collaborative tools have become more essential as business models have incorporated remote workplaces. Organizations that rely on apps to promote collaboration must therefore critically assess their employee habits to weigh and balance risks.
There are no easy answers when selecting the perfect app. Generally however, it would be wise to avoid providers whose business models are centered around the collection of user information. This would include companies such as Google, Facebook, and Microsoft.
CVG Strategy Information Security Management System Consultants
We can help your organization protect its sensitive information with an Information Security Management System. An Information Security Management System is a collection of policies, procedures, and controls that systematically address information security in an organization. It is a framework based on risk assessment and risk management.
The most widely recognized and instituted ISMS in the business environment is ISO 27001. It shares many of the features of a quality management system such as ISO 9001.
CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives including messaging app security. This process includes defining the context of your organization, creation of internal auditing processes and much more. Contact us to learn more.