The media recently was abuzz with news about a major security flaw in the popular messaging app WhatsApp. The WhatsApp security issue left both iPhone and Android users vulnerable to having spyware installed on their phones. According to some sources, some WhatsApp users’ devices were actually breached. Although disturbing, the WhatsApp security flaw might not seem like the sort of thing that enterprise IT would take an interest in. After all, WhatsApp is an application that is primarily geared toward consumers. Even so, there are several things about this story that should deeply concern enterprise IT and security professionals.
First, there are reported to be 1.5 billion WhatsApp users. That’s billion, with a B. In other words, one out of every five people on the planet use WhatsApp (roughly 19.48% by my calculations, based on a global population of 7.7 billion people). That’s a huge number of people, and the concentration is likely much higher in developed nations.
The big takeaway from those statistics is that the sheer number of WhatsApp users virtually guarantees that there are employees in your company who use the app. In fact, there is a good chance that there are employees who are engaging in shadow IT (either knowingly or unknowingly) by using WhatsApp as an alternative communications channel.
The idea that users may be using an unpatched messaging app that has been proven to be insecure as a means for communicating sensitive company information is unsettling to say the least. However, there is another, arguably more important, issue that must be considered.
According to a 2019 article by Deyan G of Tech Jury, 67% of employees use personal devices at work, and 78.48% of organizations in the United States had BYOD activities in 2018. The article goes on to cite a Cisco report that claims the smartphone is the preferred device of BYOD employees.
So, when you look at the big picture, there is a very high probability that employees within your organization are working from, and accessing corporate resources with, their smartphones. These same smartphones are statistically very likely to have WhatsApp installed. In other words, users are probably running an insecure app on the same device that they use to access some of your organization’s most sensitive data.
Now, some will be quick to point out that the WhatsApp security issue was addressed a couple of months ago with a patch. So, that’s the end of the story, right? Not quite.
One more thing that is worth considering is that WhatsApp is owned by Facebook. Facebook has tremendous financial resources at its disposal. The company acquired WhatsApp in 2014 for $19 billon. Although Facebook’s value has fluctuated wildly over the last couple of years, the company’s value remains in the hundreds of billions of dollars.
As impressive as these amounts might be, it is worth remembering that one of the things that makes smartphones so appealing is their ability to run a huge variety of applications. As such, it is safe to assume that WhatsApp is not the only application that is installed on your users' phones. A 2017 report by App Annie found that “the average smartphone user has more than 80 apps on their phone and uses close to 40 of them each month.” Some of these apps are no doubt created and maintained by large companies such as Facebook. Other apps are likely to have been created by small, tech startups or by indie developers. If a huge, multi-billion dollar company like Facebook can find a massive security vulnerability in its app, then what are the chances that the other apps that your users run on their devices are secure?
Early on, BYOD security efforts focused largely on device-level security, such as requiring a device password and forcing the device to automatically lock when idle. As important as these types of policies may be, they do little to mitigate the risks posed by insecure applications. In the future, enterprise IT will need to take a more active role in BYOD device management. This may mean blacklisting apps that are known to be insecure, establishing isolation boundaries and educating users on the latest threats to their mobile devices.