Share

Related Stories

  • Two Android viruses circulating in the wild
    Two Google Android viruses have been spotted circulating and infecting users’ smartphones in the wild. The viruses are potentially nasty because one - SW.SecurePhone - uploads data to remote servers from the users' handset, whilst the other - SW.Qieting - auto-forwards messages to a remote number.
  • Smartphones to outsell PCs - better security needed
    With sales of smartphones continuing to rise - to the point where more smartphones are now expected to be sold this year than conventional PCs - hackers are turning their attentions away from Windows-driven PCs and over to the iPhones, Androids and Win7 handsets in our pockets.
  • Android search engine manipulation trojan dissected
    A rash of Google Android malware has appeared in recent weeks, causing one security researcher to dissect how one nasty piece of code, Android.Adrd - a search engine manipulation trojan - functions, and compare it to another piece of malware, Android.Geinimi.
  • Mobile World Congress: F-Secure introduces Android and Symbian protection
    F-Secure has released version 7 of its Protection Service for Mobile (PSM 7) which extends the smartphone security software-as-a-service (SaaS) platform to support Google Android and Symbian handsets.
  • Android 'sensory malware' steals financial data on the fly
    Researchers at US and Hong Kong universities have developed a new type of malware for the Google Android platform that sits in the background, evaluating the voice and internet data flowing through the smartphone and, when it senses something valuable to cybercriminals, it bursts into action and relays the data to electronic crooks.

Top 5 Stories

News

Google Android apps send credentials in the clear

01 March 2011

The Google Android smartphone platform has come under fire for a lack of security in certain apps, including an 'official' Facebook application that transmits certain user credentials in the clear.

This, says Professor Dan Wallach, a computer science professor at Rice University in the US, means that anyone using a WiFi sniffer application can eavesdrop and possibly intercept user sessions on a variety of web portals.

Wallach also asserts that the lack of security – with the exception of the password on Facebook – could allow a user's online session to be hijacked.

According to Phil Lieberman, CEO of Lieberman Software, the professor's discovery is typical of open source software, as there is little incentive for the software developer to use secure protocols unless the destination system requires it.

And this, he explained, is the biggest issue with open source software.

"Whilst the economic imperative to go open source is clearly very strong, companies that use open source, such as Android, which is based on Linux code, also need to ensure their software is robust on the security front, and this process costs money", he explained.

Lieberman, whose company specialises in privileged identity management and security solutions, went on to say that Android apps are an interesting case as, unlike most open source software, the apps are usually designed to run on as as-is basis, so adding security to the IP transmission side is not always as easy task.

"I would go one step further and state that this disclosure is but, one early warning shot about the use of cloud computing and new platforms such as Android and Windows Mobile 7", he said.

"The other element is the stark reality that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure", he added.

Lieberman went on to say that, depending on the platform provided by a vendor, the core security available to the developer can also be woefully inadequate.

"As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may beyond their expertise and budget", he said.

"Because security is frequently an 'out of sight, out of mind' problem, it does not get addressed/funded until someone complains or something bad happens", he added.

Lieberman concludes that Wallach’s findings are a great lesson that it is time for developers to hit the books on how to secure their applications.

"Platform vendors need to complete their security and encryption suites to make it easy for developers to write secure applications", he said.

This article is featured in:
Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×