Shared publicly  - 
This rather alarming looking headline refers to this research paper: // By and large, the paper describes issues related to known SSL/TLS/PKI vulnerabilities and implementation/arguable user interface weaknesses that are rather commonly present across most platforms, not just Android.  Some of these could be avoided to some extent via automated code scanners (a technology set that is gradually coming to various environments), but the reality is that without severely restricting developer and site flexibility, there is only so far we can go toward making these systems more (but still not perfectly) bulletproof.  The paper also notes a number of methodological limitations that make a full analysis somewhat problematic.  There are really no big surprises here for anyone who studies crypto systems in the Web environment, but obviously we must work to do better.  I'll be popping back up for a couple of minutes on Coast to Coast AM radio tonight a bit after 10 PDT to discuss this.
Lauren Weinstein's profile photoNikolai Tkachenko's profile photoJoel Zucker (MonsterMutt)'s profile photoPuleen Patel's profile photo
Why the heck would they not list the apps?  If you're going to tell the criminal world that exploits exist, and in the same breath claim this announcement if for the good, let the innocent (us app users) decide whether we want to continue using the suspect apps until they are patched.
So I note that your posted statement could easily apply to the divergence of policies between Apple's App Store (regarding controlling developer behavior) and Google's Play Store (whatever), go searching for a good URL to post about the book Geekonomics to promote secure coding practices ... and I find my old instructor got hired by Apple early last year.

At any rate:
+Nikolai Tkachenko I believe there is scant if any evidence to suggest that the Apple App Store approval practices effectively deal with this class of issues. 
Sorry, given the title on the article specified a client device (Android) I kind of assumed that it had to do with certificate handling on the application's client side.  Suppose I should read the article first.  <sheepish grin>
Add a comment...