App developers are weak link for Android security

NEW YORK – As the use of mobile apps on smartphones grows, trusting mobile apps not to expose your sensitive data has come into focus.

A recent report on Android apps vulnerability published by German university researchers has attracted much media attention. The study found that 1,074 apps out of 13,500 free Android apps analyzed had weak Secure Sockets Layer (SSL) implementation that could potentially make them vulnerable to attack.  

EE Times asked Mark Knight of Thales e-Security to break down the issues surrounding mobile app vulnerability. Thales is the large French military contractor which claims its data protection technology is deployed behind roughly 80 percent of ATMs installed in the world today.

When it comes to Android apps security issues, the weak link appears to be apps developers.

In the PC-only days, when developers sought to secure the link between browsers and Web sites using the SSL and Transport Layer Security (TLS) protocols, the imperfect schemes worked reasonably well in negotiating the best possible security, said Knight.

In an era of abundant mobile apps, however, the PC world’s security model has been thrown out of the window. Each mobile app is designed to connect directly with the app developer’s own server.

In other words, apps developers “are making security decisions,” Knight explained.

The German report found that 1,000 apps did not use basic security checks. Others contained basic errors in SSL implementation. Still others prompted apps to initiate calls without SSL protection, thus exposing personal information such as passwords and user names.

Although Knight said he didn't know whether Android security is worse than phones running other operating systems, he stressed that Android developers have a lot of control over security. They have a range of choices in implementing SSLs, allowing them to override some security measures.

The problem is that many smaller apps developers retain a “startup mentality” that doesn’t take security seriously, said Knight, adding that it’s very hard for consumers to know what steps app developers are taking to protect sensitive data.