There’s a bit of a hubbub around Facebook’s $19 billion purchase of WhatsApp, most of which focused on how much Zuck and the boys spent on the IM app. Rightly so, too; $19 billion in an obscene amount of money, even by technology standards. But even software valued at $19 billion isn’t perfect, as we’ve discovered this week.
An apparent security weakness, uncovered by consultant Bas Bosschert, allowed a malicious hacker to spy on users’ messages via the handset’s microSD card. Needless to say, this backdoor has only been reported on Android versions of the app.
WhatsApp has done what most companies do when they’re on the backfoot and rebuffed the claims, claiming you first must have an infected handset for this to happen; something they neither have control over or seem to really care about. And who can blame them? It’s not every day you become a multi-billionaire.
So how did this hack happen? More importantly - what exactly is going on here and should you be worried?
Not really. As WhatsApp points out: you need to get malware on your device in the first place so that your information, messages and numbers can be snooped on via the SD-card. Also, the company has now released further updates that protect against malicious apps, adding further to the notion this is nothing more than a storm in a teacup, which is great for WhatsApp and Facebook. But is there more to it?
The SD card on Android can be read by any application if the user allows it, notes Bosschert. That means any app that stores information in that part of the phone should be judged as vulnerable, if we’re going by the WhatsApp benchmark here. The weakness is really inherent in Google’s OS (surprise, surprise) and is easily preventable by simply stopping apps connecting to the SD card.
But there is a wider problem here and it does affect WhatsApp.
Today’s smartphone application makers are really rather bad at protecting user data. WhatsApp itself has been caught out before, not doing end-to-end encryption between the app and the various servers it needs to contact for payments. In Bosschert’s findings he was also able to easily decrypt one of the WhatsApp databases with a Python script, so the messaging firm clearly has some problems in this department.
Indeed, encryption is where many apps fall short. “A worryingly large number of applications we test don't encrypt the traffic, it’s just in plain text. So if someone has access to the communication channel such as the wireless in the coffee shop, they can just plug the information like your username and password out of the air and use it,” Edd Hardy, from security consultancy Hut3, tells me.
So much focus is going on security in other parts of the tech world that many app makers appear to be forgetting about mobile apps. “The vast majority of software is designed and implemented without security in mind,” says Gary McGraw, chief technology officer at security firm Cigital. “For that reason, many of the security compromises are grounded directly in problems found in the software itself. There is an overemphasis on web application security out there in the world; as if the only software with security problems is web software.”
Somehow, someway, we need to make mobile app devs much more security-aware. As it is, too many are concerned with pumping out some quick moneymaking Flappy Bird-esque success story, without considering the privacy implications of their creations.
by rgoodwin via Featured Articles
Posts
No comments: