Google Android apps send credentials in the clear

Android's march to the top of the smartphone market continues as questions surrounding the security of its apps mounts
Android's march to the top of the smartphone market continues as questions surrounding the security of its apps mounts

This, says Dan Wallach, a computer science professor at Rice University, means that anyone using a WiFi sniffer application can eavesdrop and possibly intercept user sessions on Android devices through a variety of web portals.

Wallach also asserts that the lack of security – with the exception of the password on Facebook – could allow a user's online session to be hijacked.

According to Phil Lieberman, CEO of Lieberman Software, the professor's discovery is typical of open source software, as there is little incentive for the software developer to use secure protocols unless the destination system requires it.

And this, he explained, is the biggest issue with open source software.

"Whilst the economic imperative to go open source is clearly very strong, companies that use open source, such as Android, which is based on Linux code, also need to ensure their software is robust on the security front, and this process costs money", he explained.

Lieberman, whose company specializes in privileged identity management and security solutions, went on to say that Android apps are an interesting case as, unlike most open source software, the apps are usually designed to run on as as-is basis, so adding security to the IP transmission side is not always as easy task.

"I would go one step further and state that this disclosure is but, one early warning shot about the use of cloud computing and new platforms such as Android and Windows Mobile 7", he said.

"The other element is the stark reality that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure", he added.

Lieberman went on to say that, depending on the platform provided by a vendor, the core security available to the developer can also be woefully inadequate.

"As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may beyond their expertise and budget", he said.

"Because security is frequently an 'out of sight, out of mind' problem, it does not get addressed/funded until someone complains or something bad happens", he added.

Lieberman concludes that Wallach’s findings are a great lesson that it is time for developers to hit the books on how to secure their applications.

"Platform vendors need to complete their security and encryption suites to make it easy for developers to write secure applications", he said.

What’s Hot on Infosecurity Magazine?