What is PPAP? The problem that led to its ban and safe alternatives

PPAP is actually dangerous! We explain why it was banned, its problems, and safe alternatives.

What is PPAP?

PPAP is a file transfer method used mainly within companies to securely send email attachments. It is considered to be an abbreviation of “P: Send ZIP encrypted file with Password,” “P: Send Password,” “A: Angouka (encryption),” and “P: Protocol (protocol)*. This method was invented to prevent data leaks, but in recent years many questions have arisen about its security.

*The protocol in PPAP refers to the procedure of sending the ZIP file and the password separately.

How PPAP works

[1st message]

Sending a ZIP file with a password

Files containing confidential information are sent in a password-protected ZIP format.

[2nd mail]

Separate transmission of password

A password to decompress the previously sent file is sent by another e-mail or communication method.

At first glance, this protocol seems to offer enhanced security through password protection, but in fact, serious vulnerabilities exist and moves are underway to ban it.

Why was PPAP banned?

There are several important reasons behind the banning of PPAP. Although PPAP appears to be secure, it is in fact a very high-security-risk method. ZIP files with passwords can easily evade detection by security software, and sending the password separately can have the effect of psychologically inducing the recipient to open the file.
Therefore, PPAP has been exploited by attackers as an effective means of spreading malware such as Emotet and ransomware.
In addition, PPAP is also problematic because it requires a lot of work to be exchanged between the sender and the recipient, making it complicated to manage. In particular, when multiple identical files exist in a mailbox, their management becomes complicated and the risk of accidentally deleting an important file increases.

In 2020, the Japanese government has announced a policy to phase out the use of PPAP. This is because the security risks of PPAP have been identified by government agencies, which have been asked to move to a more secure means of transmitting files. As a result of the government’s policy, many companies have discontinued PPAP and are shifting to more secure means of sending files, including a widespread movement to reject PPAP as a receiving method.

Problems with PPAP

Although PPAP appears to be a security-enhancing method, several problems have been pointed out

img malware

Easily exploited by malware attacks

ZIP files with passwords are at risk of being abused as a means of spreading malware if an attacker obtains the password. The attacker embeds malicious code in the email in hopes that the target recipient will open the ZIP file. This process can potentially infect the entire system and cause a serious security incident.

icon_hacker

Potential Eavesdropping Risk

The PPAP technique takes the approach of sending passwords and files separately, which creates the possibility of eavesdropping risk. The security of the data sent cannot be guaranteed, as this increases the possibility that an attacker can intercept the email and obtain both the password and the file. The risk of eavesdropping is especially high when these communications take place within the same network.

icon man worry

Lack of Convenience

One of the problems with PPAP is the lack of convenience. Especially on smartphones and some other devices, it can be difficult to open a ZIP file with a password. This makes the recipient’s work complicated, requiring them to find an appropriate application or transfer the file to a PC to open it. This inconvenience reduces work efficiency and can lead to wasted time.

Alternatives to PPAP

As a secure and efficient alternative to PPAP for transferring email attachments, HENNGE One’s solutions “HENNGE Secure Download” and “HENNGE Secure Download for Box” are introduced. These tools offer a more secure and convenient way to exchange data, making them the perfect alternative to PPAP.

HENNGE Secure Download

HENNGE Secure Download is an alternative to PPAP. The sender simply sends a file attachment to the email as before, and the attachment is automatically detached and uploaded to the solution, while the recipient receives the original email body and a PDF with the URL to download the file. The recipient only needs to authenticate their e-mail address from the URL in the PDF and enter an authentication code to securely download the file, eliminating the hassles and security risks associated with PPAP.
In addition, even if the sender happens to attach the wrong file, the URL can be disabled after transmission to prevent accidental transmission.

HENNGE Secure Download diagram
User-friendly operation

Attached files are automatically converted to URLs, so senders can simply attach files to e-mails without being aware of it. This leads to a reduction in man-hours by eliminating the need for manual ZIP encryption operations.

Prevents downloading by third parties

Only the recipients of TO/CC/BCC emails can download files after their email addresses are authenticated. The download status can also be checked from the user screen.

Countermeasure against accidental transmission

If an attached file is accidentally sent, the URL can be disabled after sending, reducing the risk of information leakage due to accidental transmission.

Improved Convenience for Recipients

No advance preparation or installation is required on the part of the file recipient. Files can also be downloaded from smart devices, which has been difficult with conventional ZIP files.

HENNGE Secure Download for Box

HENNGE One also offers HENNGE Secure Download for Box, which is linked with the cloud storage service Box. In this service, the sender simply sends a file as an attachment to an e-mail as before, and the file is automatically uploaded to Box. The recipient will receive a PDF with the text of the file and a URL to share, and can download the file using an authentication code sent in a separate email. Even if the sender attaches the wrong file, the URL can be disabled after transmission to prevent accidental transmission.
This is an essential solution for customers who want to consolidate all their internal documents in Box with PPAP measures.

PPAP may seem like a convenient method, but it actually poses many security risks. As a result, its use is now banned in many companies and organizations, and more secure and efficient alternatives are being sought.


HENNGE One’s HENNGE Secure Download and HENNGE Secure Download for Box are secure and reliable alternatives to PPAP. These tools simplify data exchange and enhance security at the same time.
We encourage you to explore these features of HENNGE One so that your company or organization can securely exchange information without relying on PPAP.

Contact Us

Also read: What is Zero Trust Security?

  1. What is Zero Trust Security -What is Zero Trust Security and its advantages, disadvantages & challenges and solutions.
  2. What is IDaaS – ID management service that solves the problem of using passwords and increasing man-hours to manage cloud services and security issues.
  3. What is Single Sign-On (SSO)? How SSO works, its advantages and disadvantages, and its solutions