Slack + Snapchat = AppSec? Breaking down the complexity of messaging apps
Recently messaging applications got hit hard with vulnerabilities, hacking attempt disclosures by nation-states and insider employee inappropriate behaviors. As organizations continue to prioritize cybersecurity, outfitting their infrastructure with the latest and greatest defensive and offensive technologies, there is one clear area that is lacking security – communication and messaging tools.
Why is that? In the age of ISO, FEDRAMP, SOC2 and the rest of the trees in the acronym forest of security compliance, why is messaging, in particular, in such a precarious state? The main reason, in my humble opinion, is because of how most of these tools were designed.
When it comes to security, the weak point of virtually all messaging apps to date (and many other apps and services, really) is that they’re built with the assumption that users have to trust the service. The problem is – can users really trust the service? I’m not saying there are bad people running them, necessarily, but how many breaches (E.g. Equifax 2017) or alleged abuses (E.g. Snapchat 2019) have to happen until the answer to that question becomes clear?
These days so much of our personal data, from our PII to our online activity is in the hands of third party service providers. For many services we simply can’t conceive of another way. Our bank, for example, clearly needs access to our account information and financial transactions – this access is, in fact, what makes them a bank and pretty much is the service they provide. Messaging services, however, are different. They are not like banks. They don’t need access to the content of the messages they deliver. Unfortunately, most of them were designed with this access and now, we’re all suffering.
Once a messaging service is built on a precondition of provider trust, its design becomes its Achilles heel and its users generally suffer. Across industries, protecting our user data has proven to be a stiff challenge, and whether it’s abuse (E.g. alleged insider abuse, Snapchat 2019), exploitation or loss (E.g. data breach, Equifax 2017), the risk is high.
First, we have to contend with the providers themselves. Once the service has access to user data, it almost always finds ways to leverage it to its own advantage, engaging in practices like scanning messages for marketing purposes or abusing contact books for growth purposes.
Then, there are hackers to contend with. The bottom line we’ve learned through long, hard experience there is that anything the provider has can be taken from them by attackers, internal or external, and Mr. Murphy says it will typically happen when and where it will hurt us most.
The right way to think about trust when you want security is that less is more. The concept of zero trust as a security goal, which really hasn’t changed much since we were keeping secrets in kindergarten, is that ideally, if you don’t need to trust someone, you shouldn’t, and if you don’t need to trust anyone, don’t. Practically, as it relates to the use of technology and especially messaging services today, it means the less people or things you need to trust with something important to you (like a private message), the better off you generally are.
What we need to know as consumers is that there are ways that our service providers can implement their services in ways that put less of our sensitive data at risk, and as a result, require us to trust them less. Done properly, for example, end-to-end encryption (e2e) – a method of encrypting messages in such a way that they cannot be decrypted by anyone or anything except the recipient on their device – and data minimization are effective ways for providers to ask us to trust less and gain more.
So, much in security comes down to who to trust. Any chance we get to trust fewer things with less of our critical data is an opportunity for greater security that we should not pass up. So many messaging services have squandered their opportunity to provide meaningful user security by essentially designing it out of their systems. I think there’s just too much at stake to design things like that any more. When we consider the security of our messaging tools going forward, we should remember that the less we have to trust them, the more that we can.