App-solutely Perilous? Security of Mobile Apps Spurs Concern
Posted Sep 1, 2011 12:50 AM CST
By Richard Acello
Acquisitive fingers are wirelessly downloading millions of apps into smartphones and tablet computers, with the promise of new, easy and efficient ways of communicating. But it seems that with every advance comes a problem, and claims are being made that downloaded apps may also be carrying security risks that could leave mobile devices vulnerable to hackers.
Lawyers may be especially vulnerable because of the varying levels of technical savvy in the profession, and because the apps in question provide services attractive to them.
Take Dropbox, a free iPad app that was hailed by Wired magazine as “the iPad’s de facto file system.”
Recently lawyers and security experts have questioned the security of the mobile app in relation to metadata, which was being sent unencrypted. Adam Pash, a Los Angeles-based Web developer who wrote about the issue on his Lifehacker blog, says, “Normally, Dropbox sends all information between your computer and Dropbox servers over a secure, encrypted HTTPS connection. The file itself was still being transferred securely in the Dropbox mobile app, but file metadata (your file name, modify time, size, etc.) was not being sent securely. ... If you had a file name that contained, for example, someone’s Social Security number, that wouldn’t be ideal from a security standpoint.”
Also causing concern was an update to Dropbox’s security terms of service informing users that content could be decrypted under an official order. And in June an authentication problem allowed anyone to log into any Dropbox account with any password for a few hours.
In a July blog post on security and privacy, Dropbox said it had changed its policy to encrypt metadata. As for the other issues, an earlier Dropbox blog post noted that the company—like major Internet players, including Apple, Twitter, Skype and Google—is under the same legal obligations to reply to government subpoenas for data. Another blog post said the company was searching for the reason behind the authentication glitch.
RATINGS BY PLATFORM
Meanwhile, Ride the Lightning, an electronic evidence blog run by security expert Sharon D. Nelson, president of Sensei Enterprises in Fairfax, Va., pointed to a study by ViaForensics, a Chicago-based digital forensics and security firm that rates several popular apps by platform on various security issues. Apps are rated as:
(1) Pass: No user or app data re covered; (2) Warn: App data stored unencrypted; (3) Fail: Sensitive data stored insecurely.
In its rankings, ViaForensics gave Google’s Android Mail Ex change and Android Mail (Hotmail) failing security grades, as well as its Gmail and Groupon applications.
Google, developer of the Android system, issued this statement: “Our approach includes clearly defined Android Market content policies that developers must adhere to, plus a multilayered security model based on user permissions and application sandboxing,” a security method that separates running applications, limiting the damage of a malicious app.
“Applications in violation of our policies are removed from Android Market,” the statement continues. “Also for your reference, we recently removed a number of malicious applications within minutes of their discovery and pushed a remote kill and security update to users.”
Several iPhone apps, including its Exchange Mail and Gmail offerings, were also given failing security grades. Neither Apple nor Research in Motion, maker of the BlackBerry, responded to inquiries about their mobile app security measures.
Andrew Hoog, ViaForensics’ chief investigations officer, says an issue for many users—especially in email programs—is the tendency to reuse passwords for many sites they visit.
“If the user name and password or emails themselves are stored on the device without encryption, you can pull out the user name, password and emails,” he explains. “Most people reuse their passwords,” Hoog says, so if someone’s user name and password are accessed, user names and passwords can often be figured out for all accounts.
ViaForensics’ home page links to a list of steps mobile device users can take to protect their data, including using a trusted network for Internet connections, using a strong passcode on the mobile device, and being cautious about opening strange emails.