Encryption in the Spotlight due to Vulnerable Android Apps
Last week, Ars Technica’s Dan Goodin published a story detailing how downloaded Android applications have the potential to expose the sensitive personal data of more than 185 million users. Vulnerabilities due to inadequate or incorrect use of SSL/TLS protocol libraries expose everything from online banking and social networking credentials to e-mail and instant-messaging contents. A group of computer scientists identified 41 applications in Google's Play Market that could leak data from an Android phone connected to webservers for banks and other online services.
In addition to the research paper that sparked the article, there was another body of research out of Stanford University and the University of Texas, which exposed additional security issues with Android apps as well as a plethora of other popular web applications, services, electronic banking sites, and more. Again, the security issues stem from the incorrect or inadequate use of SSL/TLS libraries within the applications.
Dan’s story is timely considering I just discussed the importance of encryption in my final post of the “Defining the Enterprise Cloud Service” series. As I pointed out, encryption is critical to the enterprise cloud – and for that matter critical to even the consumer apps we use daily. Both of the research articles point out just how easy it is to implement communication encryption protocols incorrectly – with potentially dire consequences.
Just seeing the number of issues related to online banking services and web apps is a bit unsettling. On one hand, consumer banking is one of the most highly regulated and insured industries around – and yes if your personal account was exploited, the bank would be able to fix it via FDIC insurance. That being said, it’s an experience I don’t want to have to deal with in any way.
Strong encryption is critical for data at rest as well – be it in the cloud, and as I would like to think, on your phone as well. It’s easy to think about in relation to how a bank secures money in its safe. The better the encryption scheme, the better the safe. The better the encryption scheme in the cloud, the safer your data.
Android users should take note. But so should every enterprise cloud company. Enterprises must make sure that every cloud service that’s adopted in their environment is encrypted throughout. While the onus is still on the providers to provide incredibly secure applications, enterprises – just like consumers – need to know what mechanisms are necessary for high security and ask whether or not their vendors employ them.