Research by a US university undergraduate that has revealed that Google Android apps are sending user credentials in the clear comes as no surprise.
According to newswire reports, Dan Wallach’s research has revealed that several Android apps – including an approved Facebook application – are sending all data but the password ‘in the clear.’ This is absolutely typical of open source software, since there is little incentive for the software developer to use secure protocols unless the destination system requires this.
And this is the biggest issue with open source software. Whilst the economic imperative to go open source is clearly very strong, companies that use open source, such as Android, which is based on Linux code, also need to ensure their software is robust on the security front, and this process costs money.
Android apps are an interesting case as, unlike most open source software, the apps are usually designed to run on as as-is basis, so adding security to the IP transmission side is not always as easy task.
I would go one step further and state that this disclosure is but, one early warning shot about the use of cloud computing and new platforms such as Android and Windows Mobile 7. The other element is the stark reality that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure.
Depending on the platform provided by a vendor, the core security available to the developer (given that they know what they are doing), can also be woefully inadequate. As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may beyond their expertise and budget. Because security is frequently an “out of sight, out of mind” problem, it does not get addressed/funded until someone complains or something bad happens.
With apps for other smartphone platforms – such as BlackBerry and iOS – for the iPhone, iPad and iPod touch – there are vetting procedures in place to ensure that a third-party application does not get offered without some sort of assurance that it is robust from a security perspective.
At the end of the day, however, it is difficult to guarantee that a smartphone app is as secure as a desktop application, for the simple reason that few smartphone users in a corporate environment have access to smartphone app security checking.
This is why I’m so big on privileged account security, since using an account that has high user privileges on a smartphone – especially across public access WiFi channels, which can easily be eavesdropped – is a high risk activity.
So this story is a great lesson that it is time for developers to hit the books on how to secure their applications, and platform vendors need to complete their security and encryption suites to make it “easy” for developers to write secure applications.
Yes, it is convenient to access a Web interface to a computer system using a smartphone whilst on the move, but his is why privileged identity management systems exist. Carefully controlling what any user can do – or cannot do – is at the heart of a good security system.
I suspect you will find many other examples of smartphone apps that have a security hole in them. The sad fact is that, until smartphone-transmitted someone’s credentials are ransacked to commit a serious cybercrime, we don’t get to hear about this until it’s too late.