HKCert
HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

Security Guideline

Mobile Instant Messaging Security Guidelines

Release Date: 31 / 03 / 2015
Last Update: 20 / 04 / 2015

 

What is IM?

IM (Instant Messaging) is a real-time communication system that allows two or more users to transfer text messages, files, voice and video via a network immediately. With the rise of smartphones, IM application turned from PC to mobile platforms. No matter your mobile device is Android, iOS or Windows Phone, through a simple registration, you can communicate with your friends on your mobile device instantly.

 

Mobile IM services is becoming much more common, for both personal or business related matters. They are used to transmit messages, web links, photos or other kinds of files to others for sharing. However, while enjoying the convenience of these services, it also comes with problems of information security.

 

Security threats

1. Phishing messages or links

Messages with phishing content or link can be sent to users via mobile IM. If users do not pay attention to the authenticity of the contents, they might fall into phishing scams or fraud.

 

2. Malware Spreading

Messages with malware or malicious attachments can be sent to users. If the user inadvertently opened the message or attachment, the application or the system might be compromised.

 

3. Sensitive data leakage

Using mobile IM in the public network, message contents might be intercepted and eavesdropped, which will cause leakage of sensitive information.

 

4. Account theft

Many mobile IM applications provide desktop version or web version. This function allows users to use the same IM account on the computer to communicate. However, if attackers successfully crack the password of the account or the user does not manage the account properly, it might be misappropriated.

 

5. Vulnerable application

Software updates is required to conduct bug fixes. If users do not apply the update of application immediately, malicious users can conduct attacks through the software vulnerabilities. It might cause the application or system crash, or leakage of sensitive data and account information.

 

Security guidelines - Personal

1. Understand the security features of mobile IM application

Mobile IM services have different security features, such as message encryption, message self-destruct, two-factor authentication login, privacy settings, cloud backup, etc. Users should understand the use of security features in the IM applications, and apply an appropriate setting according to your needs.

 

2. Turn off the automatic acceptance of friends and search function

Attackers can find friends through an IM application, and then conduct phishing scams and fraudulent messages to target person. To avoid becoming a victim, you can turn off automatic acceptance of friends and search function, therefore reducing the risk of information leakage and falling into the trap.

 

3. Be aware of the messages containing unknown links and attachments

Most of the mobile IM applications support group messaging or broadcast messaging. Unknown links and attachments can be sent to users through broadcast messages. Some of these messages may contain malware. If you have doubts on these links or attachments, do not open them.

 

4. Avoid sending personal or sensitive information

Mobile IM applications require a network and messaging servers to provide service. There might be security issues on messages transmission and storage, e.g. messages may be intercepted in the public WiFi; or messages may be stored on the phone without encryption. Therefore, users should avoid sending personal or sensitive information through mobile IM application.

 

5. Manage your IM account

Many mobile IM applications provide desktop version or web version. In addition to adding screen lock on your mobile device to prevent unauthorized use of your IM account, users also need to properly manage the IM account on the desktops and browsers. Users should log out the IM service, and do not click on the setting of "remember account password", after each use.

 

6. Update the application

Application updates are generally providing bug fixing, more than adding new features. Therefore, keeping the application up-to-date can improve the stability and also patch for known security vulnerabilities.

 

Security guidelines - Corporate 

In addition to the security guidelines aforesaid, companies should consider the following security guidelines for mobile IM application.

 

1. Develop the rules of use

Companies should develop policy of using mobile IM application in business, for example,

  • Employees should only use the company specified IM applications;
  • Employees should not send company's sensitive information and internal documents through mobile IM application;
  • Employees’ mobile devices should be set up with screen lock and storage encryption, etc.

 

2. Consider using a mobile IM application which supports private messaging servers

Certain mobile IM applications support private messaging servers. It can make sure the messages are transferred through and stored in the private servers. So, it could reduce the risk of data leakage.

 

3. Deploy BYOD management solution

Through deploying BYOD solution, it can ensure that employees’ mobile devices comply with company policies and settings

 

4. Provide information security training for staff regularly

Training can let employees understand the security threats and the company policies of using IM application. This can enhance employees’ security awareness, and also reduce security risk when using IM application.