SSL Problems Plague Many Mobile Apps: Intel Report | eWeek

SSL Problems Plague Many Mobile Apps: Intel Report

mobile app security
Feb 25, 2015
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

There continues to be a lack of proper Transport-Layer Security for mobile apps, according to Intel Security, which published a new report on Feb. 24.

In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University publicly identified a list of multiple mobile apps that had Secure Sockets Layer (SSL) issues. In January 2015, Intel Security’s McAfee Labs tested the 25 most popular apps from the CERT list and found that 18 of them still have SSL security issues. These issues could potentially enable an attacker to intercept user data that is supposed to be traveling over a secured SSL connection.

“It’s very hard to know the reasons, but often problems like these can be down to the fact the app is no longer actively being developed—[it may be] end of lifed or no longer supported; however, many of the apps we researched were very much active and in development,” Raj Samani, vice president and CTO, Intel Security, told eWEEK. “In this case, it is most likely that they have other priorities, unfortunately.”

App developers have constant requirements to implement new features and to stay competitive, even though the issues raised in the McAfee Labs report have great impact, Samani said. Unfortunately, many developers and companies think of security as an afterthought, an add-on, and don’t build it in from the start, he added.

“You could argue this didn’t occur here because they used SSL, which is good,” Samani said. “They just didn’t implement it correctly, which is unfortunate given the developer resources for Android app development from Google.”

Google has a Web page that discusses the issue of proper validation of SSL certifications, and even warns of the potential consequences.

App developers might not be fully aware of issues with their apps’ SSL implementation, Samani said. For an app developer, if the code compiles and executes and they can see the traffic is encrypted, they may not even think there’s a problem, let alone know whether there’s a risk, he added.

“In this case, it could be that the level of quality assurance on their application is inadequate or the staff not skilled enough to perform this level of testing, which essentially requires simulating an attacker trying to intercept the traffic by generating their own certificates,” Samani said.

Even though there might be some valid reasons an app developer has not properly secured his or her SSL security, for the apps in question in the McAfee Labs report, all the impacted app vendors have been notified at least twice, he said.

“Assuming that the contact was made correctly, i.e., email addresses that are monitored, etc., we hope that the lack of fixes is not down to people not caring about the problem, but that it’s less of a priority to fix,” Samani said. “Sadly, it may only become a priority if a problem occurs and many of their customers become victims and require assistance that may even lead to lawsuits against the company.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.