How Messaging Apps Should Be Protecting Their Users

By Simon Owens

Last month, the messaging app Whatsapp announced on its blog that it had surpassed 1 billion users. “That’s nearly one in seven people on Earth who use WhatsApp each month to stay in touch with their loved ones, their friends and their family,” the company wrote. While this is certainly a monumental accomplishment for the company, it’s also indicative of the growing popularity of OTT messaging apps and how they’re quickly becoming a dominant force in peer to peer communication. Whether it’s Facebook Messenger, WeChat, Line, or Snapchat, messaging apps are attracting user bases in the hundreds of millions, and new entrants are wading into the space every day.

But with this newfound popularity comes profound implications for how it will affect our daily lives. With users now sending trillions of messages per year over these apps, they’re now increasingly vulnerable to scam artists and malcontents who want to steal money and identities. This is especially pertinent as many messaging apps begin opening their platforms to online transactions and ecommerce sales. A survey of messaging app users conducted by tyntec last year found that 40 percent of Chinese users and 15 percent of American users are seriously worried about security.

So what should messaging app companies be doing to protect their users from things like identity theft, money loss, phishing, and spam? Here are three:

Encryption

Good security starts within the design of the app itself, and many of the most secure apps leverage current encryption technology. Most people have likely heard about the recent battle between Apple and the U.S. Department of Justice over encryption, but there are actually several different types of encryption; a message can be encrypted between when it’s sent from a user and then is stored on the company’s server, or it can be encrypted from user to user. The latter is considered more secure. “You need to be encrypting the communications channel through the actual transportation layer within the application,” said Horden Wiltshire, CEO of Soprano Design, a mobile solutions company. “They should also be investing in encrypting the packets going back and forth. Not just the transportation, but the individual packets of messages going between the players.”

[LIKE THIS ARTICLE SO FAR? FOLLOW US ON TWITTER TO GET NEW INSIGHTS AND DATA ON OTT INNOVATION]

Wiltshire also argued that there should be third party validation to confirm your encryption is secure. “You should be going through some sort of auditing process,” he said. “There are a number of global standards, and so you should be investing in third party independently validated and certified security auditing.”

Out of band authentication

One of the best ways to thwart would-be malicious hackers is to place multiple barriers between them and a user’s account. This involves implementing some form of out-of-band authentication, which means requiring a user to offer up two pieces of authentication before being granted access. Often referred to as two-factor authentication, this usually means that, in addition to being required to enter a password, you also must enter a unique PIN that is sent via SMS. This way, you need both possession of a phone and knowledge of the original password. It’s easy for a thief to gain access to one of these channels; much more difficult to obtain both.

Two-factor authentication should be leveraged when a user initially signs up for an account, whenever they try to make payments, and even when they lose their password. “If that password recovery only involves sending the password over email, that’s not super secure because whoever gets access to the email account can get access to that password and take over the account,” said Catalin Badea, a product manager at tyntec. “With two-factor authentication, the PIN can be sent over SMS, it can be put into the app, and then again we have the certainty that only the actual user who owns the respective mobile phone is able to set the new passwords.”

Call number verification

Once you have someone’s phone number, there’s a wealth of data that can be accessed to inform you whether that phone number is valid, where it hails from, and if it’s been associated with questionable activity. “So when an app user is using a credit card the company is able to compare where the credit card is used to the respective location of the phone number,” said Badea. “And if these two don’t match then the company is alerted to a potential problem, because someone is trying to use your credit card abroad but your phone is at home. So it’s possible to match location data and phone number information within the context from the respective transaction to strengthen the security for specific use cases.”

***

Of course, most messaging apps have different designs and use cases, so it’s impossible to form a one-size-fits-all approach to security, but anxiety over security issues is a real concern for consumers and may impact their use habits. In a world where data breaches and mass identity theft is common, messaging apps must take security seriously, otherwise they risk losing the confidence from their users if something goes wrong.

To access tyntec’s OTT research, go here