Can you verify Cloud App vendors ?

Evaluating cloud app vendors

After discovering that users could authorize 3rd parties to access enterprise data by just 3 clicks, we started to look at who people had actually given access to.
One such 3rd party was Boomerang aka Baydinc. I remember I have seen the name before. I do not know the company, but we have a few happy users of their product.
This blog article is about how to judge if a plugin should be allowed or not, or if it is even possible to make this judgement.

This article uses Boomerang for Outlook as an example, and looking with paranoid glasses, it would be a clear no. But that would be based on stereotypes, prejudice etc. The unbiased conclusion is, that it is impossible to evaluate.

Outloook Add-In Store

In the store, it only gets a 3 start review. This might be a warning indicator.

 Next, looking at what permission it needs, Microsoft clearly writes it can access and modify personal information in THE active message.
Installing it, and pressing "Open Boomerang", and I need to authenticate the app before it works. So it needs more access. It wants access to read/write all my mail. So Microsoft and Boomerang do not agree on what permissions are needed.


Starting research

Visiting the boomerang for outlook webpage: https://www.boomerangoutlook.com/ it is difficyult to find any contact information for the company. You have to find it in the term and conditions, or the privacy policy.
Looking up at Google streetview, we can see the address is the Hong Kong Bistro, so likely a small office upstairs ?  This just proves that anybody can create a company these days, and sell large scaleable web services in the cloud. It is difficult to judge a company's physical presence from their web presence.



 The company refers to their Angels invest profile. The have raised $400k+, but back in 2011. Are they self-sustainable ? Have they changed business focus ? Do they sell information they have access to ? Nobody knows.

The company seems to be run by Asian looking citizens. And since China is usually listed everywhere as the country that spies and collects info everywhere, this is one more paranoia check mark.


So, is the company legit an making money ? If not, what will they do with the access then the company runs into financial troubles ?
Are they delivering your data to the Chinese government ? Someone else ?

There are lots of unanswered questions here, and my attempt to see if this app is legit or not just makes me more paranoid.

I am almost sure I have used Boomerang at some point in the past, but I have also checked that I have not granted consent to any of my private mail accounts (Microsoft AND google) for Boomerang. I am fairly sure they at least used to be legit.

Searching for Aye Moah, there seems to be enough articles and video, including one from StartUp Grind 2019, that she must be a living version, and again this helps indicate everything is legit.

But is there any way to be sure ? Or is this just the risk of doing business in a web world ?

From an enterprise perspective, it would be difficult to justify new users for this app if we are going to protect e-mail as company data. The big question is if we should remove its access for existing users.

Comments

Popular posts from this blog

Microsoft AzureAD and Office365 - Not secure by default

Microsoft has been aware of the AAD/O365 vulnerability for almost 2 years.