Why consumer messaging apps and video conference services can’t be trusted?

9 April 2020 | Enrique Pena

In the current times amid social distancing and a global lockdown, messaging and video conferencing apps such as WhatsApp and Zoom have enjoyed an explosion in demand for their services. But at the same time, cybersecurity researchers have warned that security loopholes in their software could allow hackers to eavesdrop on meetings or access conversations and files. In the case of Zoom, WhatsApp, and others, there is plenty of recent news on governments taking action and banning their use.

Why are governments starting to question these apps more? The simple answer is that the developers of these applications viewed security as a feature, rather than a core architectural foundation. These services have been exposed to security risks they were never designed to protect against, and governments and security-conscious enterprises are finally realising the risks.

Business functionality is where the money is, and in many cases popular consumer apps, or consumer-first apps, are designed and developed from the shortsighted "time to market" focus. They are built on features so that the developers can reap their benefits. With this focus on features, or what the system does, it is no surprise that security is described in the same way.

Consumer-first apps are designed to deliver great experiences, tangible ease-of-use and possibilities to invite new users to interact with quickly. The design imperative is to attain as many users in the shortest time possible. Competition and short windows of opportunity demand developers to release apps and new features as fast as it is feasible. New feature releases are often also great marketing and publicity opportunities to generate further awareness of the app's existence and to attract even more users.

Consumer-first apps like WhatsApp and Zoom are inherently feature and not security-focused. The goal is to develop and build a brand and user base very quickly by developing a product viable enough to meet market needs. There is a reason for this behaviour too. A looming IPO, investors, the board, shareholders, all demand quick returns, whatever the metric is, be it the number of users, and revenue. The focus of product development prioritises fast user onboarding and adoption, and just enough features, with the least amount of effort, to satisfy early customers.

As a result, security is described as a feature. Such systems have deep architectural and programming flaws that undermine their security. Some of these companies have made the investment in re-architecting their products, with measured security improvements as a result, as WhatsApp did by adding end-to-end encryption in their messaging service. Yet when doing so, they continue to deliver products based on failed security design and development practices.

Developers of consumer applications need to pivot away from thinking about security as a set of features that can be added retrospectively. Security needs to be addressed as a cross-cutting concern, one that cuts across the architecture and proposed functionality. Embedding security into the design, and treating security as a critical goal early in the design lifecycle is the way to ensure it's an integral attribute of the whole system - a "security-first" philosophy. When security is treated as an afterthought, or developed independently from the overall system design, applications often become brittle, inflexible, and expensive to be fixed. This is what Zoom is facing today.

At Digital14, we see security as a top priority. We develop hardware and software communication, messaging, and conferencing services that are secure by design, using a "security-first" philosophy. Secure by design is the guiding principle for how our systems are built at all levels, from architecture to code, features and functions, upgrades and updates. We design security into our products from the foundation, ground up, and enforce it by its architecture design and preserve it during the whole software evolution.

Digital14's secure by design philosophy recognises the complex interrelationships between quality, security, reliability, availability, time to market, and time to profitability as highly interrelated attributes. We never deploy any solution to production before achieving appropriate levels of testing, validation, quality and security. We turn security from a feature focus to an uncompromising principle, ensuring business and security are of equal priority.

Consumer-first apps such as WhatsApp and Zoom began with a feature focus and are now doing their best to fix their security flaws retrospectively. The problem is that unless they redesign their whole system from scratch, they are only adding security features on top of their existing infrastructure. The question is then, can they be trusted?

Digital14 wants your organization, public or private, government or commercial, to have confidence they can freely communicate and share sensitive information without risk. Visit digital14.com/connect today.

We Are Digital14

Connect with us