Facebook Messenger, WhatsApp, and Wickr Me are the most frequently blacklisted Android apps by enterprises, according to a new 2018 study.
The Q2 ’18 Enterprise Mobile Security Pulse Report from security provider Appthority, looks at the mobile apps most commonly used in enterprises, and also the apps most likely to be blacklisted by IT teams.
Four of the top five most frequently blacklisted Android apps, (and two of the top five iOS apps), were messaging apps. Facebook Messenger and WhatsApp featured on both lists, both scoring 7 out of a maximum of 10 for risk – indicating that they access and/or send enterprise related information or personal identifiable information.
Why enterprises blacklist apps
Enterprises blacklist apps for a number of reasons; the most common one is a failure to meet their security policies.
Concerns over the way many of these apps handle data, or leak sensitive information, have long been a concern for IT teams and CIOs who want to balance their security requirements with BYOD (Bring Your Own Device) policies and business users’ desire for more consumer-like experiences in the workplace.
Both Facebook Messenger and WhatsApp were called out by the report for sharing users’ address book details. A clear infringement of GDPR regulations if your contact list happens to include the names of other employees, and clients.
Worryingly, it’s also unclear exactly what data is extracted from a user’s address books by WhatsApp, how it’s processed, and what is shared with its parent company Facebook.
This is what recently led to Continental ban WhatsApp for its mobile workforce.
In June this year, Continental banned the use of WhatsApp on 36,000 devices used by a workforce of almost 240,000 employees. The company’s fear was that because such apps could access users’ “personal and potentially confidential data, such as contacts, and thus the information of third parties”, it violated GDPR’s terms for the processing and storing of personal data.
Also, because WhatsApp is most likely connected to a user’s individual account, companies lose the ability to centrally audit the app, and inform customers how their data is being handled; another core GDPR requirement.
The tide is turning
For many years, businesses have worked to an assumption of ”acceptable risk”. CIOs and CIROs were, I’m sure, never fully comfortable with seeing free, consumer-grade messaging tools like WhatsApp being used in their business for sharing confidential information or client data; but because they met a very real business case for a more immediate chat experience, little was done.
It seems, however, that the tide is turning as businesses become more aware of their data confidentiality obligations.
This is one of the reasons why Wire is quickly becoming the messaging platform of choice for enterprises looking to preserve the integrity of their data. In fact, we understand that Continental’s internal staff memo about WhatsApp even recommended switching to a secure messenger like Wire (article in German) as an alternative.
Wire was built with privacy-by-design principles in mind and can help an organization to meet its GDPR-related requirements. In particular, Wire does not require sharing of the address book, and it offers businesses full control over app usage, including one-click removal of ex-employees from accessing chat history, shared files, and contacts.