Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

If you use apps, you may want to read this

Ben Grubb (via SMH) | July 24, 2013
Many smartphone app developers are not using encrypted protocols to secure the apps they create, leaving users vulnerable to being hacked when they connect to public Wi-Fi networks, researchers say.

Dmitry Bestuzhev, head of Kaspersky Lab's Global Research and Analysis team, said that app stores setting rules which made the use of encryption mandatory would help fix the problem. If an app was found to use an unencrypted protocol it could be rejected as insecure, he said.

"Encryption ... should be a standard in any application in general," Mr Bestuzhev said.

Australian security research Troy Hunt said secure connections (https) exist for a reason.

"It's there for authentiticy of identity, integrity of content and confidentiality so no one observes (the transaction) taking place," Mr Hunt said.

Mr Hunt said he has seen many apps using insecure protocols, some from big shopping centres and airlines. He said develoeprs should always use a secure connection for their apps.

"In times gone by there was a cost to certificates, now you can get free certificates... in the past there was some worry about performance, including some latency, but https is almost as fast as a non-secure connection now."

Often developers chose unencrypted protocols because it meant less bandwidth and therefore cheaper costs, Mr Bestuzhev said. Other times developers just didn't consider using secure protocols because they weren't security conscious and believed it was an unnecessary feature.

Chris Gatford, penetration tester and director of Australian security firm HackLabs, joined calls for web and app developers to use secure connections at all times and for app owners to pay fair price for app development.

"We stil see in our work, when testing web aplications, a section (of a site) that developers have overlooked and it's still sending session cookies over http rather than https.

"Not a day goes by that a customer doesn't asks us, after a test has occured, why they had so many issues with their application. One in five, it's because they got it developed on the cheap, by some fly-by-night development company or a large development company outsourced to a fly-by-night or even another team.

"Unfortunately people are hiring people with less experience because people who have experience and have gone through the security of it cost more. People don't want to pay good money for a good developer."

Currently the only way for a user to check whether they are using an app that makes use of encryption is to set-up a lab-style environment and monitor traffic going in and out of an app, Mr Bestuzhev said. 

App users concerned about their security can use what's known as a virtual private network, or VPN, when they connect to public Wi-Fi. Using a VPN tunnels a users' internet traffic through an encrypted connection back to a server that can be located anywhere in the world.



Previous Page  1  2 

Sign up for CIO Asia eNewsletters.