Almost everyone has used Google Chat to talk to coworkers who are just down the hallway, or iMessage to text close friends from work computers. Our networks trust and authenticate such apps on the strength of their names alone. But, according to the recent EFF Secure Messaging Scorecard, neither are truly secure messaging apps — nor are any of the other reputable apps that many firms use.
You might be comfortable with your employees sneaking in some Friday evening planning on Friday morning. But as soon as one of them sends a piece of sensitive information via a messaging service, that person is (and by extension, you are) trusting the app to protect that data in all phases: in transit, in use and at rest. Once something's typed and sent, it will exist forever. Will it be safe? Or could it prove catastrophic? In light of the EFF's findings, it's worth evaluating the apps your firm relies on.
Who Has Your Keys?
When a messaging service has access to a user's data, all kinds of problems can occur. Most apps use "keys" to authenticate users — so once you've been authenticated with the key, your application is automatically logged in and always running. These keys can be stored on the device or on the server the app is communicating with — in either case, app developers need to secure the keys.
Storing the key on the server requires an authentication pattern that allows providers access to user data, which isn't nearly as big of a problem as the fact that anyone who hacks into that server will have access to user data, too. Alternatively, if the device is rooted, then all keys stored on the device are exposed.
"It's about protecting the keys," says Veracode VP of Mobile Theodora Titonis. "Storing keys on the server instead of the device is like handing your house keys to your neighbor. That might not sound like such a bad thing — until you realize you have no idea whether your neighbor locks her doors when she leaves her house. It puts you in a situation where whether you lock up or not has very little bearing on your home's safety."
Titonis also notes that "storing keys on the device means your key must be protected in a very hostile environment. As app developers, we have no control over other malicious apps on users' devices or any exploits capable of rooting the devices. So it's imperative for us to use strong encryption and secure key management correctly — and that is not a trivial task."
Token-Based Authentication: The Hero Users Deserve
So apps are all about finding the balance between security and usability, but what good is usability if it leads to costly compromises? There's no entirely secure way to store a key on a mobile device, so any secure messaging app will require token-based authentication.
According to W3.org, token-based authentication is when a user obtains a token by entering his or her username and password. Once that token is granted, "the user can offer the token — which offers access to a specific resource for a time period — to the remote site. Using some form of authentication: a header, GET or POST request, or a cookie of some kind, the site can then determine what level of access the request in question should be afforded."
And even though token-based encryption might make messaging apps a little less easy to use, it will also make them a lot more secure. That way, when your employees' conversations shift from planning happy hour to discussing internal issues or sharing sensitive information, their data will be as safe as possible.
So, What Does That Mean for CISOs?
For secure messaging, a secure cipher- and token-based approach is the only way for an app to get an "A" in all three phases of data transfer. But tokens and app security alone aren't enough: Comprehensive security solutions involve layered approaches that call for secure messaging apps, servers and infrastructures — plus frequent code audits on a third-party vendor's end. And when it comes to something as important as sensitive data, anything short of comprehensive isn't secure at all. By choosing an app that scores high on the EFF scorecard, you're ensuring one more link in the secure enterprise chain is as strong as it can be. And any next step you take toward total security is a smart one. Guaranteed.
Photo Source: Flickr