NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] "Android apps used by millions vulnerable to password, e-mail theft" + my comments

"Android apps used by millions vulnerable to password, 
e-mail theft" + my comments
http://j.mp/RRuwGa  (This message on Google+)

 - - -

http://j.mp/WE5nol  (ars technica)

   "Android applications downloaded by as many as 185 million users can
    expose end users' online banking and social networking credentials,
    e-mail and instant-messaging contents because the programs use
    inadequate encryption protections, computer scientists have found."

 - - -

This rather alarming looking headline refers to this research paper:

http://j.mp/RRuTAn  (University of Hannover [PDF])

By and large, the paper describes issues related to known SSL/TLS/PKI
vulnerabilities and implementation/arguable user interface weaknesses
that are rather commonly present across most platforms, not just
Android.  Some of these could be avoided to some extent via automated
code scanners (a technology set that is gradually coming to various
environments), but the reality is that without severely restricting
developer and site flexibility, there is only so far we can go toward
making these systems more (but still not perfectly) bulletproof.  The
paper also notes a number of methodological limitations that make a
full analysis somewhat problematic.  There are really no big surprises
here for anyone who studies crypto systems in the Web environment, but
obviously we must work to do better.  I'll be popping back up for a
couple of minutes on Coast to Coast AM radio tonight a bit after 10
PDT to discuss this.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
nnsquad mailing list