SSL Problems Plague Many Mobile Apps: Intel Report
Intel Security's February 2015 McAfee Labs Threats Report finds continued mobile security issues that aren't being fixed.There continues to be a lack of proper Transport-Layer Security for mobile apps, according to Intel Security, which published a new report on Feb. 24. In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University publicly identified a list of multiple mobile apps that had Secure Sockets Layer (SSL) issues. In January 2015, Intel Security's McAfee Labs tested the 25 most popular apps from the CERT list and found that 18 of them still have SSL security issues. These issues could potentially enable an attacker to intercept user data that is supposed to be traveling over a secured SSL connection. "It's very hard to know the reasons, but often problems like these can be down to the fact the app is no longer actively being developed—[it may be] end of lifed or no longer supported; however, many of the apps we researched were very much active and in development," Raj Samani, vice president and CTO, Intel Security, told eWEEK. "In this case, it is most likely that they have other priorities, unfortunately." App developers have constant requirements to implement new features and to stay competitive, even though the issues raised in the McAfee Labs report have great impact, Samani said. Unfortunately, many developers and companies think of security as an afterthought, an add-on, and don't build it in from the start, he added.
"You could argue this didn't occur here because they used SSL, which is good," Samani said. "They just didn't implement it correctly, which is unfortunate given the developer resources for Android app development from Google."