Hangouts Security on Corporate WiFi

TL;DR

Yes, Google Hangouts traffic can be read over corporate WiFi, even with TLS1.2 encryption, depending on your company’s security setup. Your IT department could potentially intercept and inspect the data. Using a VPN is the best way to protect your privacy.

Understanding the Risks

Hangouts uses Transport Layer Security (TLS) to encrypt communication between your phone and Google’s servers. TLS1.2 is generally considered secure, but it doesn’t make your data invisible to everyone on a network. Here’s why:

• Man-in-the-Middle Attacks: A malicious actor (or your IT department) could intercept the communication and decrypt it using a rogue certificate.
• Certificate Pinning Bypass: While Hangouts uses certificate pinning, some older versions or configurations might be vulnerable to bypasses.
• Corporate WiFi Security Policies: Many companies use:
  • Proxy Servers: Your traffic is routed through a proxy server where it can be logged and inspected.
  • Packet Inspection (Deep Packet Inspection – DPI): The contents of your encrypted traffic are examined, looking for specific patterns or keywords. Even with TLS, metadata like the websites you visit can often be seen.
  • SSL Interception: Your company might install its own root certificate on your devices and intercept HTTPS connections (including Hangouts) to decrypt and inspect the data before re-encrypting it and sending it on. This is a common practice for security purposes, but it means they can see your Hangouts messages.

How to Protect Your Hangouts Data

Here’s how to improve the security of your Google Hangouts communications when using corporate WiFi:

1. Use a Virtual Private Network (VPN)

1. What it does: A VPN creates an encrypted tunnel between your phone and a remote server, masking your IP address and encrypting all your internet traffic. This prevents anyone on the corporate WiFi from seeing what you’re doing online.
2. Choosing a VPN: Select a reputable VPN provider with a strong privacy policy (no logging of your activity). Paid VPNs are generally more reliable than free ones.
3. Connecting to the VPN: Install the VPN app on your phone and connect to a server before using Hangouts.

2. Check Your Device’s Security Settings

1. Trusted Certificates: Review the list of trusted certificates installed on your phone. Look for any unfamiliar or company-issued certificates that might be used for SSL interception.
   • Android: Go to Settings > Security > Encryption & credentials > Trusted credentials (the exact path may vary depending on your Android version).
   • iOS: Go to Settings > General > VPN & Device Management > Configuration Profile.

3. Use Hangouts Web Version with HTTPS

If possible, access Hangouts through a web browser instead of the app. Ensure you’re using https://hangouts.google.com (the ‘s’ indicates a secure connection). However, this is still vulnerable to SSL interception if your company uses it.

4. Be Aware of Phishing and Malware

1. Phishing Attacks: Be cautious of suspicious links or messages that ask for your Google account credentials.
2. Malware: Keep your phone’s operating system and apps up to date to protect against malware that could compromise your security.

5. Consider Alternative Secure Messaging Apps

If privacy is paramount, consider using end-to-end encrypted messaging apps like Signal or WhatsApp (although these also have their own considerations regarding data collection). These apps encrypt messages on your device before they are sent, so even if someone intercepts the traffic, they won’t be able to read them.

Checking Your Connection

You can use online tools to check if your connection is secure. However, these aren’t foolproof and don’t guarantee complete privacy:

• SSL Server Test: https://www.ssllabs.com/ssltest/ (tests the SSL configuration of a website, but won’t show if your company is intercepting traffic).
• IP Address Check: https://whatismyipaddress.com/ (confirms your public IP address and location; using a VPN will change this).