Lauren Weinstein <lauren@vortex.com> Mon, 22 Oct 2012 12:04:17 -0700
http://j.mp/RRuwGa (This message on Google+) http://j.mp/WE5nol (ars technica via NNSquad) “Android applications downloaded by as many as 185 million users can expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.'' This rather alarming looking headline refers to this research paper: http://j.mp/RRuTAn (University of Hannover [PDF]) By and large, the paper describes issues related to known SSL/TLS/PKI vulnerabilities and implementation/arguable user interface weaknesses that are rather commonly present across most platforms, not just Android. Some of these could be avoided to some extent via automated code scanners (a technology set that is gradually coming to various environments), but the reality is that without severely restricting developer and site flexibility, there is only so far we can go toward making these systems more (but still not perfectly) bulletproof. The paper also notes a number of methodological limitations that make a full analysis somewhat problematic. There are really no big surprises here for anyone who studies crypto systems in the Web environment, but obviously we must work to do better. I'll be popping back up for a couple of minutes on Coast to Coast AM radio tonight a bit after 10 PDT to discuss this. Lauren Weinstein
No comments:
Post a Comment