I recently shared my thoughts on a troubling topic covered in InfoSecurity Magazine, and many other publications. As you’re probably aware, research from a US university undergraduate professor, Dan Wallach, shows that several Android apps, including an approved Facebook application, are sending out all data except for passwords “in the clear”. Anyone who follows this blog knows that I write extensively about the importance of managing the security of user credentials, particularly privileged account credentials. My response to Dan’s research, then, will come as no surprise.
This situation with Android is absolutely typical of open source software, since there is little incentive for the software developer to use secure protocols unless the destination system requires it. And this is the biggest issue with open source software. While the economic imperative to go open source is clearly very strong, companies that use open source such as Android (which is based on Linux code) also need to ensure their software is robust on the security front, and this process costs money.
Android apps are an interesting case. Unlike most open source software, Android applications are usually brought to market without a formal vetting process and adding security to the IP transmission side is not always an easy task. With apps for other smartphone platforms – such as BlackBerry and iOS for the iPhone, iPad and iPod touch – there are procedures in place to ensure that a third-party application does not get offered without some sort of assurance that it is robust from a security perspective.
At the end of the day, it is difficult to guarantee that a smartphone app is as secure as a desktop application, for the simple reason that there are few users in corporate environments who have the tools necessary to verify smartphone security. This is why I’m so big on privileged account security, since using an account that has high user privileges on a smartphone – especially across public access WiFi channels, which can easily be eavesdropped – is a high risk activity. It’s just asking for trouble.
Yes, it is convenient to access the Web interface of your in-house applications using a smartphone while on the move, and this is where privileged identity management systems can add a great deal of value.
Carefully controlling what any user can do – or cannot do – is at the heart of a good security architecture. I suspect you will find many other examples of smartphone apps that have security holes. The sad fact is that until credentials transmitted by a smartphone are exploited to commit a headline-grabbing cyber crime we won’t hear about it until it’s too late.