The Electronic Frontier Foundation is reviewing messaging apps and scoring them for security. You can see the results on a new Secure Messaging Scorecard posted on the group's website.
The first eye-catching part of this EFF audit is the sheer number of messaging apps that don't have basic security measures and oversight. The EFF rates apps for their…
- Encryption (in transit and so the provider cannot read it).
- Code audits.
- Security design.
- Security of past communications after an encryption key has been stolen (i.e., perfect forward secrecy).
- Ability to verify identity of senders.
Amazingly, popular messaging programs like Facebook Chat, Snap Chat, BlackBerry Messenger, and WhatsApp each fared poorly. Many of these apps only passed one of the seven security categories on the EFF scorecard.
Wait, Snap Chat isn't secure? If you've been following the news, this will come as no surprise. In "Snap Chat Leak Offers Liability Lesson for Developers," we profiled how the Federal Trade Commission came down on Snap Chat, ruling that the app couldn't advertise that it was secure because of how easy it was to circumvent the app's security features. Even apps that claim to be secure can be riddled with security holes.
Which Are the Best Apps for Secure Messaging?
It's important to note that the EFF didn't evaluate any code. The organization only evaluated whether or not messaging apps had certain features that were generally in step with best practices. In other words, the EFF didn't evaluate how effective each app's crypto was, only whether or not it was in place.
The results of the survey highlight which companies are doing the right things. What apps scored the best? Among popular messaging apps, Apple's iMessage scored the best (though it only scored 5 out of 7). Here are the messaging apps with perfect scores:
- ChatSecure.
- CryptoCat.
- Signal.
- Silent Phone.
- Silent Text.
- Text Secure.
Why Care about Messaging App Security?
To some business owners, it might seem like paranoia to be concerned about hackers snooping on a business's instant messaging. If you run a local coffee roaster, the odds are pretty slim that someone's going to try to steal your trade secrets from your iPhone.
But mobile messaging security can be an issue when employees use these apps to communicate with each other. If employees send spreadsheets, business IP, or discuss upcoming acquisitions via messaging apps, they could expose the company to serious cyber risk.
For instance, law firms have been targeted by hackers because they often have records and information about upcoming mergers and acquisitions. This information – because it affects the stock market – is extremely valuable.
What Does It Mean that So Many Apps Don't Follow Security Best Practices?
The EFF's research shouldn't surprise any one that follows mobile dev and data security. In the world of start-ups, few companies prioritize security from the beginning. The focus is often on marketing and slick in-app interfaces, which means that many developers don't spend adequate time on security.
It's an unfortunate reality that many of the most common apps and programs have basic flaws in their security. For IT consultants, these fundamental shortfalls in data security expose them to risk. Because you can be sued if a client's data is exposed, your business is always at risk of an IT lawsuit. To learn more about covering your IT liability, read about technology Errors and Omissions Insurance.
