What other undesirable apps are potentially accessing your corporate data?
On 16 March the UK Government announced a ban on the use of TikTok on government phones and devices. The ban is in line with those announced by US and Canadian governments and the European Commission. A report submitted to the Australia’s Select Committee on Foreign Interference through Social Media “…confirms beyond any plausible doubt that TikTok is owned by ByteDance, ByteDance is a People’s Republic of China (PRC) company, and ByteDance is subject to all the influence, guidance and de facto control to which the Chinese Communist Party (CCP) now subjects all PRC technology companies.” The report shows “… how the CCP and PRC state agencies (together, the Party-state) have extended their ties into ByteDance to the point that the company can no longer be accurately described as a private enterprise.”
The Register states: “The report, by a quartet of researchers, was hailed as “the most comprehensive exploration yet of the CCP’s ties to TikTok” by Brendan Carr, commissioner of the United States’ Federal Communications Commission. India’s IT minister Rajeev Chandrasekhar retweeted Carr’s remarks.”
This latest revelation must raise serious concerns amongst CISOs and anyone with any interest in data security. Any mobile phone that is used for business that also uses TikTok may raise the risk of leaking valuable commercial data and intellectual property to a totalitarian regime that actively pursues industrial and academic espionage.
If we needed any further reminder that consumer apps should NEVER be trusted to handle enterprise data, here are a few other recent stories…
Mobile phone account takeovers – are you safe from mobile phone number recycling?
When registering for a free messaging app it is common practice to use your mobile phone number. Indeed, for most services, this is the only option available. However, this brings its own privacy issues because the data security at the multi-national social media companies that tend to own consumer apps is often found wanting.
This cautionary tale appeared on El Reg recently concerning accidental WhatsApp account takeover and is about a person moving from one country to another for work, and changing to a local mobile phone number as they did so. They then started receiving WhatsApp messages meant for someone else. While not specifically a WhatsApp issue, it serves to highlight the issues of using a mobile phone number when setting up a messaging app.
It begs the question – what messages do you have in your WhatsApp chat history? Would you be happy for them to be read by a complete stranger?
Protect your own privacy
Unlike consumer apps, with Armour Mobile and Signet you are able to register with a unique identifier. As well as protecting your account against spoofing (mobile phone numbers being notoriously easy to clone/hack/impersonate), the benefits of identity-based authentication (MIKEY-SAKKE) is that you can be sure that you are communicating with who you think you are communicating with (avoiding deep fake scams). In addition, all this provides an extra level of personal privacy protection.
WhatsApp fined again
In other news, WhatsApp has once again been slapped with a fine for mis-handling data under GDPR legislation. While the sum in question, €5.5m, is fairly paltry in terms of scale it is a further indication of the seriousness of such transgressions in that it has been levied in addition to previous fines. The Data Protection Commission (DPC), Ireland’s data watchdog, has upheld a complaint against WhatsApp dating from 2018, around the requirement of users to accept new terms and conditions that require them to share data, in order to continue using the app.
Armour Mobile and Signet by Armour ensure that contact lists remain private and that personal information is not shared without the owners’ permission. Read our previous blog about GDPR and mobile comms for more information.
Not suitable for Government says ICO (or Enterprise)
Last year, the Information Commissioners Office (ICO) recommended that Government departments review the use of consumer-grade apps such as WhatsApp, private emails and messaging platforms after a year-long investigation that highlighted inadequate data security during the COVID pandemic.
If there are fears for the privacy of government communications, there should equally be caution among the private sector. All enterprises, no matter how large or small, have intellectual property that they would not wish to fall into competitor hands (formulae, customer lists, product roadmaps, employee information, details of proposed mergers and acquisitions, to give just a few examples).
In line with the recommendations made by the ICO, at Armour we urge organisations to review the use of messaging apps to ensure that sensitive and commercially valuable information is not in danger of being compromised, or shared unwittingly. Here we go into more depth about why consumer-grade apps are a security risk.
For more information about how Armour Mobile can help your organisation to protect sensitive information and comply with GDPR, while providing an engaging and easy to use secure comms app to your staff, contact us today