Which Third-Party Messenger App Is Best for Secure Business?
In October 2021, Facebook (now Meta), and all its platforms (Instagram, WhatsApp and Messenger) shut down across the globe for up to six hours, leaving billions without a messaging service. While Facebook engineers scrambled to fix the problem, users pivoted to other apps to stay connected. In the wake of the outage, Telegram added 70 million users, according to the platform’s founder Pavel Durov.
While the Facebook outage was due to a routine maintenance error, the event led many to wonder about messaging app breaches and other issues. If someone switched from WhatsApp to Telegram, did they really end up with a more secure app? What makes a messenger app more secure? And what about the risks of using instant messages for business?
These questions matter, since we use messaging apps more and more in day-to-day life. This is especially relevant among international teams where rapid, affordable communication helps people work faster.
While there’s no consensus, messaging app security comparisons exist. But beware. What one source says is secure, another source might say otherwise.
Meanwhile, cybersecurity researcher Natalie Silvanovich from the Project Zero team at Google found a serious glitch in the Signal app. Using a modified client, she sent a peer-to-peer connect message to a device running Signal. This enabled a voice call to be answered, even though the callee never touched the device.
Silvanovich found similar gaps in Facebook Messenger, Google Duo, JioChat and Mocha. After her report, all these vulnerabilities have since been fixed.
What about threat actors? What app are they chatting on? Is it secure? Recent research described a burgeoning network of cyber criminals on Telegram, where data leaks have increased in frequency. Some illicit Telegram channels host tens of thousands of subscribers, and the content looks like what one might find on darknet hubs. Still, what attracts threat actors might not be the app’s security, but rather the lack of platform moderation.
Security-wise, Telegram uses its own MTProto encryption protocol, rather than the more widely accepted Transport Layer Security (TLS) protocol. Some cryptographers consider MTProto to be a cryptographic weakness. While any encryption is better than none, the MTProto security requirement building blocks (hash functions, block ciphers, public-key encryption, etc.) are untested.
Telegram isn’t worried about its encryption security, though. In fact, the platform recently held a contest to crack Telegram’s encryption. Despite offering a $30,000 bounty, nobody cracked the platform’s Secret Chats code. Note that the Telegram Secret Chats mode is not on by default, and it doesn’t function in group chat, either. During standard chat and group chat, end-to-end encryption remains inactivated on Telegram.
What about SMS messages? Are they more secure? Syniverse is a company that routes hundreds of billions of text messages every year for hundreds of carriers, such as Verizon, T-Mobile and AT&T. In May 2021, the company told government regulators that attackers had been breaching its databases for five years. Syniverse processes over 740 billion messages each year for over 300 mobile operators worldwide.
What information did the attackers expose? The company did not say, but SMS text message content may have been targeted.
Google Messages, Apple iMessage and Facebook Messenger (and Meta’s WhatsApp) have also been scrutinized for their application security. Google and Apple turn on encryption by default, as does WhatsApp, but Facebook Messenger does not.
Other criticisms about security surrounding Google and Facebook include the collection of user information. Since they collect user data, they must also secure it. This implies added risk. In addition, Apple uses a closed-source app and backend server code. This calls into question the quality of the code, including the strength of encryption or if vulnerabilities exist.
Of all the messaging apps out there, Signal appears to be one of the more secure. Yes, it was found to be at risk for eavesdropping attacks as mentioned earlier, but that weakness has reportedly been fixed.
Meanwhile, Signal has many traits to look for in a secure messaging app, such as:
Beyond the intrinsic security of the messenger platform, how your teams interact with the app greatly affects security. For example, phishing campaigns and social engineering attacks have affected third-party messenger apps for years. Attackers simply send a tempting message to targets to get them to click on a link or download an infected file.
While breaching a corporate network from a smartphone app might be difficult, many users also install a desktop version of their messaging app. Any malicious link or download accessed from the desktop app version could open the door to malware.
It’s likely that companies — especially ones with international teams — will continue to use popular messaging apps. While no application is 100% secure, some implement better security measures than others. End-to-end default encryption is one example of good security practice. It also pays to remind teams that online phishing scams are just as dangerous when they target you from your app.
Jonathan Reed is a freelance technology writer. For the last decade, he has written about a wide range of topics including cybersecurity, Industry 4.0, AI/ML…
4 min read – This is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries. When talking about…
3 min read – Corporate clients and cloud service providers (CSPs) are both responsible for cloud security. Clients remain accountable for governance and compliance. However, their other duties will vary depending upon the type of cloud deployment. What can cloud-native security controls do for…
8 min read – This post was written with contributions from IBM Security X-Force’s Anne Jobmann, Claire Zaboeva and Richard Emerson. February 25, 2022 Update On February 24 2022, Symantec Enterprise reported a ransomware dubbed as PartyTicket was deployed alongside the HermeticWiper malware. IBM…
While you may have never heard of “Electron applications,” you most likely use them. Electron technology is in many of today’s most popular applications, from streaming music to messaging to video conferencing applications. Under the hood, Electron is essentially a Google Chrome window, which developers can modify to look however they prefer. Since Chrome is […]
In October 2021, Facebook (now Meta), and all its platforms (Instagram, WhatsApp and Messenger) shut down across the globe for up to six hours, leaving billions without a messaging service. While Facebook engineers scrambled to fix the problem, users pivoted to other apps to stay connected. In the wake of the outage, Telegram added 70 […]
In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities. One case in 2016 saw threat actors take down Dyn, a company […]
How much do you know about the metaverse? Everyone started talking about the metaverse in the summer of 2021. Facebook CEO Mark Zuckerberg kicked it off with his plan to focus his company on building what he imagined would be the future of social, business, leisure and culture: the metaverse. He even changed the name […]
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
With about 2 billion monthly active users, WhatsApp is the single most active and popular mobile messenger app. That kind of popularity tends to make software vulnerable, which...Read more