This rather alarming looking headline refers to this research paper: http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf // By and large, the paper describes issues related to known SSL/TLS/PKI vulnerabilities and implementation/arguable user interface weaknesses that are rather commonly present across most platforms, not just Android. Some of these could be avoided to some extent via automated code scanners (a technology set that is gradually coming to various environments), but the reality is that without severely restricting developer and site flexibility, there is only so far we can go toward making these systems more (but still not perfectly) bulletproof. The paper also notes a number of methodological limitations that make a full analysis somewhat problematic. There are really no big surprises here for anyone who studies crypto systems in the Web environment, but obviously we must work to do better. I'll be popping back up for a couple of minutes on Coast to Coast AM radio tonight a bit after 10 PDT to discuss this.
7 plus ones
Shared publicly•View activity
- Why the heck would they not list the apps? If you're going to tell the criminal world that exploits exist, and in the same breath claim this announcement if for the good, let the innocent (us app users) decide whether we want to continue using the suspect apps until they are patched.Oct 22, 2012
- So I note that your posted statement could easily apply to the divergence of policies between Apple's App Store (regarding controlling developer behavior) and Google's Play Store (whatever), go searching for a good URL to post about the book Geekonomics to promote secure coding practices ... and I find my old instructor got hired by Apple early last year.
At any rate: http://www.amazon.com/Geekonomics-Real-Cost-Insecure-Software/dp/0321477898Oct 22, 2012
- I believe there is scant if any evidence to suggest that the Apple App Store approval practices effectively deal with this class of issues.Oct 22, 2012
- Sorry, given the title on the article specified a client device (Android) I kind of assumed that it had to do with certificate handling on the application's client side. Suppose I should read the article first. <sheepish grin>Oct 22, 2012