Protecting the Mobile App Space

Mobile apps are the new frontier.  With every new terrain comes a lot of risks and eventually regulation.  About 8% of Android apps are vulnerable to attacks as a result of weak SSL implementations, according to a new computer security study. SSL/TLS are cryptographic protocols used to secure online communications. According to Information Week Security “Security researchers in Germany analyzed 13,500 free Android apps from Google Play and found that 1,074–about 8%–contain SSL/TLS code that could potentially make them vulnerable to what’s known as a Man-in-the-Middle (MITM) attack.”

Although not a new problem, attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In Information Week Security’s report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services–and to fix them before they can be exploited.

In light of these attacks, privacy and security are increasing concerns. In response to these issues California has implemented the California Online Privacy Protection Act — a.k.a. CalOPPA. Under this act, California is set to begin fining mobile app developers that release apps that lack a clear and easily accessible privacy policy. Attorney General Kamala D. Harris started notifying businesses this week that their apps did not have easily accessible privacy policies, as required by the state’s Online Privacy Protection Act. The warnings affect as many as 100 apps.

Violators will face fines of up to $2,500 for every non-compliant app that gets downloaded. Businesses that received the state’s privacy-warning letters this week included the airlines Delta and United Continental, as well as OpenTable, reported Bloomberg.

Earlier this year, Harris helped create an agreement among the seven leading mobile and social app platforms to improve privacy protections for those who use apps on their smartphones, tablets, and other electronic devices. According to her release, these companies – Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion – agreed to privacy principles designed to bring the industry in line with California law requiring mobile apps that collect personal information to have a privacy policy.

The agreement allows consumers the opportunity to review an app’s privacy policy before they download the app rather than after, and offers consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store.

“Smartphones are in my opinion the greatest threat to loss of intellectual property and concern about privacy,” said Darren Hayes, an assistant professor and expert in computer forensics at Pace University. “There are mobile apps that are masked as legitimate games which compromise other data on your phone. More aggressive privacy laws may mitigate some of the risk.”

A lot of apps would have to be updated to include the privacy notice. I hope 30 days is sufficient to make the necessary changes for affected applications.

Mobile security experts and vendors said the crackdown was good for the industry, because it would boost California consumers’ confidence. California is one of the most aggressive states in the nation on privacy protection.

This could be the catalyst necessary to make other states demand greater privacy protection. The problem is always in balancing protecting privacy with limiting speech. This is only the beginning….

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s