When it comes to security, you really do get what you pay for!
So what exactly are the dangers of consumer (ie. free) apps? And what should you expect Enterprise-grade apps to provide that the free apps don’t?
First a note about Encryption
Free apps have encryption and so to do enterprise apps. There is so much more to security than encryption. Encryption is (or should be) a given, it is rarely the weakest link, and therefore rarely the attack vector. The dangers in using free apps for business revolve far more around how your sensitive data is managed, where it goes and who has access to it.
Consumer apps need a GSM number to use as the ‘secure number’. This number is used to send activation codes in clear text via an SMS message. This is easy to intercept and can compromise any security before it is even activated.
Enterprise apps can either use GSM numbers or a randomly assigned number for the ‘secure number’. Activation is NOT via an insecure SMS, it can be via a variety of secure activation methods so it is very much harder to compromise.
Harvesting your data
Consumer apps run on the vendor’s infrastructure only, and even if the content is protected, the metadata of each call or message is visible to the vendor. This can be cross matched with other user ID’s owned by the provider to build up a detailed picture of user habits which can be used for profiling and targeted advertising. Or sold to third parties for a similar purpose.
Enterprise apps run on a subscription business model, so there is no need to harvest user metadata in order to make a profit. Serious cyber security vendors have no interest in selling data or advertising, their emphasis is on security and maintaining their credibility and brand value.
Some enterprise apps are also available as an ‘on-premises’ option, meaning that not only is the content of the calls/messages secure, but nobody outside of the organisation has access to the metadata. This ensures complete security and privacy regarding when, where and who users are communicating with.
Sharing your Contacts & Secure Community Groups
Consumer apps typically upload users’ native contacts list to their global database upon activation. While this may be convenient, it does mean that the vendor has your GSM number, and also those of all your contacts for potential marketing purposes. All of those users will also have had their details cross matched to their social media profiles, including facial recognition!
For more detail on this worrying scenario, read our blog Whose list are you on?
Enterprise apps do NOT need to upload the native phone directory. They can instead import a bespoke directory of secure contacts as defined by the organisation. In some cases real time integration between the app and the organisation’s internal Active Directory is possible. In addition, by mutual consent, different community groups can be white listed to enable communication between organisations for collaborative working purposes.
Third party certification
Consumer apps are rarely, if ever, subject to any independent certification of their security procedures.
Good Enterprise apps are certified by Government Cyber Security experts or international bodies such as NATO.
Intelligent Support v Automation
Consumer apps typically have no human interaction during the activation process, whereas enterprise apps usually have an account manager assigned during the sales and trial process, with a technical support email and phone line available after the sale. This is invaluable if a VIP user is having issues that need resolving quickly.
Management of sent and received files
Some consumer apps store sent and received files on the mobile device’s SD card, unencrypted, and then don’t delete them later. Sometimes this is the case, even when the delete option has been set. The files may remain, in an unencrypted form even if the app is uninstalled.
Enterprise apps that focus on security will keep sent and received files encrypted, only exposing them in unencrypted form to be read briefly by the third party viewer that displays them. Any such files are then removed as soon as the user has finished viewing them.
When dealing with sensitive business communications of any type (voice, message, text, video, and attachments) you need to be sure of exactly where your data and meta data is going, and who can see it. You also need to remember that not all enterprise apps are created equal – check that everything you think is secure is in fact protected, for example, your attachments, your contacts and your metadata.
When it comes to secure communications, don’t trust a free app because you really do get what you pay for.