There continues to be a lack of proper Transport-Layer Security for mobile apps, according to Intel Security, which published a new report on Feb. 24.
In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University publicly identified a list of multiple mobile apps that had Secure Sockets Layer (SSL) issues. In January 2015, Intel Security’s McAfee Labs tested the 25 most popular apps from the CERT list and found that 18 of them still have SSL security issues. These issues could potentially enable an attacker to intercept user data that is supposed to be traveling over a secured SSL connection.
“It’s very hard to know the reasons, but often problems like these can be down to the fact the app is no longer actively being developed—[it may be] end of lifed or no longer supported; however, many of the apps we researched were very much active and in development,” Raj Samani, vice president and CTO, Intel Security, told eWEEK. “In this case, it is most likely that they have other priorities, unfortunately.”
App developers have constant requirements to implement new features and to stay competitive, even though the issues raised in the McAfee Labs report have great impact, Samani said. Unfortunately, many developers and companies think of security as an afterthought, an add-on, and don’t build it in from the start, he added.
“You could argue this didn’t occur here because they used SSL, which is good,” Samani said. “They just didn’t implement it correctly, which is unfortunate given the developer resources for Android app development from Google.”
Google has a Web page that discusses the issue of proper validation of SSL certifications, and even warns of the potential consequences.
App developers might not be fully aware of issues with their apps’ SSL implementation, Samani said. For an app developer, if the code compiles and executes and they can see the traffic is encrypted, they may not even think there’s a problem, let alone know whether there’s a risk, he added.
“In this case, it could be that the level of quality assurance on their application is inadequate or the staff not skilled enough to perform this level of testing, which essentially requires simulating an attacker trying to intercept the traffic by generating their own certificates,” Samani said.
Even though there might be some valid reasons an app developer has not properly secured his or her SSL security, for the apps in question in the McAfee Labs report, all the impacted app vendors have been notified at least twice, he said.
“Assuming that the contact was made correctly, i.e., email addresses that are monitored, etc., we hope that the lack of fixes is not down to people not caring about the problem, but that it’s less of a priority to fix,” Samani said. “Sadly, it may only become a priority if a problem occurs and many of their customers become victims and require assistance that may even lead to lawsuits against the company.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.