News & Analysis
Tell us What You Think
We want to know what you thought about this News. Let us know by adding a comment.
App developers are weak link for Android security
Junko Yoshida
10/30/2012 6:10 PM EDT
An opportunity?
While the German research report focused on "man-in-the-middle attacks" between apps and servers, Knight noted that vulnerabilities don't end there. Once the first layer of protection is removed from the communication linkage between apps and edge of the server, a bigger issue is how the data within a data center is protected.
"This can be turned into an opportunity for apps developers,” he noted.
Developers, for example, can select what they regard as the most sensitive data, then encrypt it. The encrypted data can then be sent via the cloud to a data center.
What about the cost of such security implementation? Is it simply too expensive for small apps developers? For apps, it’s a one-off cost, replied Knight. “There will be no per-device, per-instance cost.” For data centers, developers will need to install tamper-resistant hardware, thus insuring that keys cannot be stolen, he added.
Knight stressed that social networks and popular app developers are employing security experts and inserting layers of security. The security problem resides with small app developers who need to be educated, Knight said.
Still, even brands like Sony are not immune to hacking problems, as was demonstrated with Playstation services fiasco. Knight said Sony used its own encryption technology to protect data, instead of standard, certified encryption technology. But even trusted protection technology could turn into Swiss cheese because the security technology must be updated constantly.
TrustZone works?
Asked whether hardware technology embedded in mobile handsets called “Trust Zone" helps minimize security risks, Knight was non-committal.
ARM’s TrustZone technology, for example, is supposedly a “system-wide approach” to security that can be used on a mobile phone platform for a host of applications, including secure payment, digital rights management and Web-based services. TrustZone is tightly integrated with ARM processors and extends throughout the system via the AMBA AXI bus and TrustZone IP blocks, according to ARM.
Segregating “sensitive” apps by using TrustZone in a handset sounds like a good idea. But a user still has no way of knowing how those selected apps interact with each other within TrustedZone, said Knight.
Ultimately, the fact remains that user continue to rely on app developers to implement security in their services.
Related stories:
Report:Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security
Merging IBM Secure Processor and ARM TrustZone Technologies
ARM, security firms form joint venture for mobile
Secure Software Development with the TrustZone Software API
While the German research report focused on "man-in-the-middle attacks" between apps and servers, Knight noted that vulnerabilities don't end there. Once the first layer of protection is removed from the communication linkage between apps and edge of the server, a bigger issue is how the data within a data center is protected.
"This can be turned into an opportunity for apps developers,” he noted.
Developers, for example, can select what they regard as the most sensitive data, then encrypt it. The encrypted data can then be sent via the cloud to a data center.
What about the cost of such security implementation? Is it simply too expensive for small apps developers? For apps, it’s a one-off cost, replied Knight. “There will be no per-device, per-instance cost.” For data centers, developers will need to install tamper-resistant hardware, thus insuring that keys cannot be stolen, he added.
Knight stressed that social networks and popular app developers are employing security experts and inserting layers of security. The security problem resides with small app developers who need to be educated, Knight said.
Still, even brands like Sony are not immune to hacking problems, as was demonstrated with Playstation services fiasco. Knight said Sony used its own encryption technology to protect data, instead of standard, certified encryption technology. But even trusted protection technology could turn into Swiss cheese because the security technology must be updated constantly.
TrustZone works?
Asked whether hardware technology embedded in mobile handsets called “Trust Zone" helps minimize security risks, Knight was non-committal.
ARM’s TrustZone technology, for example, is supposedly a “system-wide approach” to security that can be used on a mobile phone platform for a host of applications, including secure payment, digital rights management and Web-based services. TrustZone is tightly integrated with ARM processors and extends throughout the system via the AMBA AXI bus and TrustZone IP blocks, according to ARM.
Segregating “sensitive” apps by using TrustZone in a handset sounds like a good idea. But a user still has no way of knowing how those selected apps interact with each other within TrustedZone, said Knight.
Ultimately, the fact remains that user continue to rely on app developers to implement security in their services.
Related stories:
Report:Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security
Merging IBM Secure Processor and ARM TrustZone Technologies
ARM, security firms form joint venture for mobile
Secure Software Development with the TrustZone Software API
|
|
|
|
|
Navigate to related information