Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Smartphones and enterprise systems: don’t let convenience override security considerations

Use your smartphone to log into cloud and secure systems at your peril says Lieberman Software CEO.

Research by a US university scientist which has shown that Google Android apps are sending user credentials in the clear comes as no surprise to Phil Lieberman, CEO of Lieberman Software. "According to a report in The Register, Dan Wallach's research has revealed that several Android apps - including an approved Facebook application - are sending all data but the password ‘in the clear.’ This is absolutely typical of open source software, since there is little incentive for the software developer to use secure protocols unless the destination system requires this,” he said.

"And this is the biggest issue with open source software. Whilst the economic imperative to go open source is clearly very strong, companies that use open source, such as Android, which is based on Linux code, also need to ensure their software is robust on the security front, and this process costs money," he added.

Lieberman went on to say that Android apps are an interesting case as, unlike most open source software, the apps are usually designed to run on as as-is basis, so adding security to the IP transmission side is not always as easy task.

Lieberman said: “I would go one step further and state that this disclosure is but one early warning shot about the use of cloud computing and new platforms such as Android and Windows Mobile 7. The other element is the stark reality that computer science graduates rarely, if ever, receive any training on how to write secure applications. So it should come as no surprise that many applications created by these same people are insecure. Depending on the platform provided by a vendor, the core security available to the developer (given that they know what they are doing), can also be woefully inadequate. As a consequence, developers of applications frequently find themselves needing to add layer upon layer of additional technology which may beyond their expertise and budget. Because security is frequently an ‘out of sight, out of mind’ problem, it does not get addressed/funded until someone complains or something bad happens.

“With apps for other smartphone platforms - such as BlackBerry and iOS - for the iPhone, iPad and iPod touch - there are vetting procedures in place to ensure that a third-party application does not get offered without some sort of assurance that it is robust from a security perspective.”

At the end of the day, however, Lieberman says it is difficult to guarantee that a smartphone app is as secure as a desktop application, for the simple reason that few smartphone users in a corporate environment have access to smartphone app security checking.

Lieberman said: “So this story is a great lesson that it is time for developers to hit the books on how to secure their applications, and platform vendors need to complete their security and encryption suites to make it ‘easy’ for developers to write secure applications.

"Yes, it is convenient to access a Web interface to a computer system using a smartphone whilst on the move, but this is why privileged identity management systems exist. Carefully controlling what any user can do - or cannot do - is at the heart of a good security system.

"I suspect you will find many other examples of smartphone apps that have a security hole in them. The sad fact is that, until smartphone-transmitted someone's credentials are ransacked to commit a serious cybercrime, we don't get to hear about this until it's too late."


•Date: 3rd March 2011 • Region: US/World •Type: Article •Topic: ISM news

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here