McAfee, the cyber-security firm, has issued a stern warning to mobile app developers to update their mobile app software, to protect users against well known vulnerabilities in popular secure communications software.
According to Tech Times;
In January this year, McAfee tested 25 apps that were on the CERT list. According to the cybersecurity firm's "Labs Threats Report: February 2015," tests found that 18 popular apps were still lacking patches despite security holes being flagged in September 2014. Based on the report, the vulnerable app that had been downloaded the most is a photo editor for smartphones. It had 100 million to 500 million downloads. The application also enables its users to share images on social media sites, as well as cloud services. Read More...
What does this mean for mobile app developers?
The McAfee report comments on the amount of personal information mobile apps gather about their users.
However, one of the most serious problems arises from the use of old versions of a popular software library, openSSL, to provide secure communications between mobile app users and servers, or other users.
OpenSSL – the heart of Internet Security
openSSL is popular because it works – it provides by far the most trusted and most comprehensive implementation of secure communication. If you include openSSL (libSSL) in your mobile app development project, you don’t have to create fantastically complex encryption code yourself. All you need to do is add a few lines of code to your mobile app project, to ask openSSL to create the secure communication channel for you.
Because of its popularity, openSSL code is a key target for hackers. If you find a way of breaking openSSL, half the world is vulnerable to your attack. The flip side of this, of course, is because openSSL is so popular, a lot of people take a strong interest in keeping openSSL secure. When a new way of hacking openSSL is discovered, developers across the world spring into action, and within hours, or at most few days, an update is available which closes the hole in openSSL security.
However there is a catch. Keeping your use of openSSL secure very much depends on you keeping your copy of openSSL (libSSL) up to date, to ensure you have all the latest security updates. If you don’t keep your copy of the openSSL libSSL library code up to date, your mobile app will still work – but it will become progressively more vulnerable to hackers, as more and more attacks are discovered which work on your out of date copy of the security library. This damaging rise in the vulnerability of your mobile app is subtle, and difficult to detect. Unless your mobile app developers make a conscientious effort to stay in control of this issue, the first indication you might have that your popular mobile app has a problem, might be unwelcome, damaging publicity in the global media.
Note that many mobile apps do not use their own copy of openSSL (libSSL). Many mobile apps simply use the default security classes provided by the mobile app development environment. Both the Android App Development environment and the iPhone App Development environment provide good security out of the box, without having to incorporate your own copy of the openSSL (libSSL) code. But there are situations in which you need full access to security functionality, access which goes beyond the basic facilities provided by the standard mobile app development environment tools. In such cases, you have to download and include a copy of the openSSL / libSSL code into your project.
What should you do, to stay safe?
What do you do if you are concerned that your mobile app might be vulnerable to this issue? The first step is to simply ask your mobile app development team – do they use a private copy of openSSL / libSSL, and, if so, when was the last time they updated their openSSL code?
If you are not completely satisfied with their answer, the next step is to commission an independent audit of your code – either ask another developer to verify that the secure communications employed by your mobile app comply with best practice, and that everything is up to date, or if you have a big budget, you can hire a reputable mobile security firm, like McAfee, to perform a comprehensive security audit on your mobile app system.
If you would like to know more about the content of the McAfee security report, and how the issues raised in the report might affect your mobile app business, please contact me.