Recently I wrote about the number of malware apps for the android operating system. Well, I think the article I found interesting was found interesting by other people. From an article posted in Network World, it appears that HP found that 90% of Apple iOS mobile apps show security vulnerabilities. Now in reading this summary of the HP report in detail, the point made by HP is not that 90% of iOS apps are malware, rather “86% of the apps tested lacked the means to protect themselves from common exploits.”
As companies expand their IT presence into phone and tablet apps, the question of the security of those platforms needs to be answered. After spending the first 20 years of my career as an application developer, I understand the problem. The first thing you do as a developer is find a solution to the problem that is presented to you. The second to last thing you do (the last always being documentation, if you ever do it) is test your code for unexpected usages. And you never think of all of them. I remember being thanked by a user for writing a particular function a year or so after I had released the code. He told me what he was doing with what I had written and my response was “It does that?” The user was using what I had written to do one thing for something completely different and totally unexpected. What was more interesting is that it was working perfectly.
The problem according to HP is that adequate penetration testing is not done. This is probably because of the speed in which apps are being developed and released. Like any other client, mobile apps are at some point going to be connected back to the corporate servers. Then, like any other client, malware on the client may be transported to the server. As noted above, you never know what someone will do with something you wrote.
As an IT professional, you need to be aware of what apps you are recommending/developing do and what they might do under malicious conditions. Although malware protection is a reactive science, you should be as proactive as possible when evaluating mobile apps.
It’s National Cyber Security Awareness Month! Of course you should be aware of cyber security every month. Intel has done an interesting page of cyber security suggestions at https://www-ssl.intel.com/content/www/us/en/security/lifehacks.html. Check it out.
I know it seems like I have been picking on Google for the last couple of posts, but they are such an easy target. This time, Google’s CIO, Ben Fried had some interesting things to say in an article written by Liz Gammes of All Thngs D. The article talks about how Google employees are insulated from what is used in the outside consumer world. Google’s mantra is that everyone should trust the cloud to handle their communications and data storage. Employees should collaborate and develop corporate strategy on the web rather than their own internal networks.
Now, Google follows its philosophy by using its own products, like Google Apps and Google Drive for their internal development in their internal cloud. But how does it feel about using other’s products, or the cloud in general? “The important thing to understand about Dropbox,” Fried said, “is that when your users use it in a corporate context, your corporate data is being held in someone else’s data center.” To put that in a real context, Google’s basic philosophy, from my understanding, is anything that is stored on Google’s servers is Google’s property. That may be a bit of an overstatement, but they do feel they have the right to mine your data in order to target ads to you. What is to prevent and Edward Snowden from coping your information and passing it to others? You are relying on Google to tell you that your data has been compromised, and it is because of a breach of their security. Can you say “lawsuit”?
This is not to say that Google is worse than any other cloud provider. They are open about their position on data mining and I am not saying that anyone else is data mining or not data mining. What I am saying is that moving your data to the cloud means that you are consciously giving up control of your information to someone else. You are trusting them to prevent anyone other than yourself from accessing, destroying or changing that data.
As the old consumer adage goes “Buyer beware”.