Open source is to blame for unsecure Google Android apps

android

Research by a US university undergraduate that has revealed that Google Android apps are sending user credentials in the clear comes as no surprise.

According to newswire reports, Dan Wallach’s research has revealed that several Android apps – including an approved Facebook application – are sending all data but the password ‘in the clear.’ This is absolutely typical of open source software, since there is little incentive for the software developer to use secure protocols unless the destination system requires this.

And this is the biggest issue with open source software. Whilst the economic imperative to go open source is clearly very strong, companies that use open source, such as Android, which is based on Linux code, also need to ensure their software is robust on the security front, and this process costs money.

Android apps are an interesting case as, unlike most open source software, the apps are usually designed to run on as as-is basis, so adding security to the IP transmission side is not always as easy task.

I would go one step further and state that this disclosure is but, one early warning shot about the use of cloud computing and new platforms such as Android and Windows Mobile 7. The other element is the stark reality that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure.

Depending on the platform provided by a vendor, the core security available to the developer (given that they know what they are doing), can also be woefully inadequate. As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may beyond their expertise and budget. Because security is frequently an “out of sight, out of mind” problem, it does not get addressed/funded until someone complains or something bad happens.

With apps for other smartphone platforms – such as BlackBerry and iOS – for the iPhone, iPad and iPod touch – there are vetting procedures in place to ensure that a third-party application does not get offered without some sort of assurance that it is robust from a security perspective.

At the end of the day, however, it is difficult to guarantee that a smartphone app is as secure as a desktop application, for the simple reason that few smartphone users in a corporate environment have access to smartphone app security checking.

This is why I’m so big on privileged account security, since using an account that has high user privileges on a smartphone – especially across public access WiFi channels, which can easily be eavesdropped – is a high risk activity.

So this story is a great lesson that it is time for developers to hit the books on how to secure their applications, and platform vendors need to complete their security and encryption suites to make it “easy” for developers to write secure applications.

Yes, it is convenient to access a Web interface to a computer system using a smartphone whilst on the move, but his is why privileged identity management systems exist. Carefully controlling what any user can do – or cannot do – is at the heart of a good security system.

I suspect you will find many other examples of smartphone apps that have a security hole in them. The sad fact is that, until smartphone-transmitted someone’s credentials are ransacked to commit a serious cybercrime, we don’t get to hear about this until it’s too late.

Philip Lieberman, the founder and president of Lieberman Software, has more than 30 years of experience in the software industry. In addition to his proficiency as a software engineer, Philip is an astute entrepreneur able to perceive shortcomings in existing products on the market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions to resolve the security threat of privileged account credentials. Philip has published numerous books and articles on computer science, has taught at UCLA, and has authored many computer science courses for Learning Tree International. Philip has a B.A. from San Francisco State University.

  • gus3

    Wow, could there be a more ignorant, biased article on this site? Blaming “Open Source” in the title for security problems that, by the author’s admission, exist on both open- and closed-source platforms, fairly screams “follow the money!”. Lieberman Software, the author’s company, is partnered with several closed-source companies, including Microsoft, Oracle, and Cisco, and it is not a stretch to see that the author is trying to scare people into staying with “the devil they know,” rather than consider the alternatives.

    When Microsoft can perform a top-to-bottom security audit of their Windows software (currently impossible with its bloated code base), and demonstrate consistently rapid response to security issues that arise, only then will the security-minded consider Windows a feasible candidate for critical tasks.

    Until then, other systems hold more appeal, including those dreaded “Open Source” options. Yes, there will be security issues, but Open Source makes things more fixable, more quickly, by more people, than relying on some corporate behemoth like Microsoft.

  • Nathan Ladwig

    Microsoft, if you look at it’s track record, is overall equal in speed at fixing exploits as the open-source community, so your comments against it for being bloated and a ‘behemoth’ are relatively misinformed.

    I will, however, agree that this article is completely biased. There is no real security difference between open- and closed-source. iOS applications are no more secure than Android applications, which are no more secure than WiMO applications.

    Besides, what does it matter if someone eavesdrops on you tweeting that you hate getting stuck in the airport, or that you sent an e-mail that you’re going to be late for a meeting? If you’re doing something that really requires that much security, you’ve most likely put the time and effort into making it secure, and if not, you’re going over other channels for communication.

  • Guy you don’t need to know

    You’re an idiot. Open source software *is* typically more secure then closed-source software.