Android apps suck at security

Written by

Android applications downloaded by as many as 185 million users can expose end users’ online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.

Of course, iOS doesn’t have this problem, so all of you Android owners that want to switch from the malware infested, security sucking Android can make the move any time.



  • http://twitter.com/GyroMac GyroMac

    android sucks period….not just at security

  • http://twitter.com/forty2j Jim McPherson

    This a feature.. people want to be open, don’t they?

  • http://www.johncblandii.com John C. Bland II

    (ducks for onslaught of slurs from Android protectors)

    • http://twitter.com/Moeskido Moeskido

      Not how it works, John. First you have to make an unreasonably generalized claim about the entire consumer population that’s based upon your specific use case.

      Okay, go. ;)

      • http://www.johncblandii.com John C. Bland II

        Ooops. My fault. :-D

        That would be the only way to refute such a broad, sweeping, incorrect statement. ;-)

  • http://www.bynkii.com/ John C. Welch

    it is in fact, one of the downsides of open, esp. in a device aimed at nontechnical users. You want your garden open to all, at some point, you get hobos shitting in the fountain and sleeping on the benches.

  • Alex
    Of course, iOS doesn’t have this problem

    Saved for future claim chowder…

    • rj

      My guess is Jim was being sarcastic. Surely, he isn’t making a claim that iOS prevents developers from writing insecure networking code?

      From the article: “The paper made no attempt to measure the security provided by apps available for Apple’s competing iOS platform.”

      • http://www.johncblandii.com John C. Bland II

        Look, developers do dumb stuff (no https on sensitive requests, plain text passwords, etc, etc, etc). iOS developers aren’t inherently smarter because they dev for iOS so of course the problem is in iOS.

        The Android SDK provides ways to securely save local data. Some devs were just dumb enough not to use it.

        – By dumb I don’t mean intellectually, I just mean they are either uninformed or not very good at what they do.

        • Steven Fisher

          Well, the default behaviours on iOS are picked to be more secure.

          Passwords stored in plain text are always bad, but it’s less bad if you need to jailbreak your phone in order to access them. In this area, though, Apple’s made doing the right thing more difficult than it should be. Storing passwords unencrypted is a single line of code; there’s no reason storing them encrypted should be several dozen.

          Rejecting invalid SSL certificates is the default behaviour on iOS. In one of my projects, I had to write code to allow the user to accept them. The path of least resistance is simple rejection; it’s actually harder to accept them. Of course, proper prompting to allow the user the choice is harder still.

          • http://www.johncblandii.com John C. Bland II

            I’m not buying it (iOS defaults are more secure). Android (sdk) has a TON of crypto options. If a dev chooses not to use them, that’s on them.

            As a dev, I don’t care what the default is so long as I have the tools necessary to protect my users.

            True on the paths. That’s the thing, as well: developers can be lazy. When they are, users pay for it.

          • JohnDoey

            iOS developers who screw the user over are removed from the platform for life, and lose all of their shipping apps. Please tell me where there is anything equivalent to keep devs honest on Android.

          • http://www.johncblandii.com John C. Bland II
          • Steven Fisher

            The part you’re not buying is the same part you declare true, just rephrased: The frameworks make good decisions. You can do whatever you want, but when it’s easier to do the right thing than to cheat, you get better security on average because most of the developers are lazy bastards.

            This doesn’t affect people like you and me, who think things through and try to do the right thing (or, at least, try to). It only affects the vast majority of builders of shitty apps, that are thrown together quickly to make a buck off the ignorant before a rating is established.

            I seriously doubt that iOS is much more secure for developers who know what they’re doing. After all, even if the OS itself leaves something open, if you’re making an effort you just find a way to close it.

          • http://www.johncblandii.com John C. Bland II

            Nah, I’m not buying the part about the defaults because for good devs defaults don’t matter; in the sense that you’ll probably change them no matter what they are.

            Agreed on laziness for sure. :)

        • JohnDoey

          They have no reason to care.

          This is not about technology, which is why it is a problem in the first place. Google only knows technology.

          iOS apps have an incentive to be much higher quality so that they can pass Apple’s strict approvals, sell for $, and so that the developer can stay in the ONE app store on the platform. It is like being part of a union — screw up and you are out and that is it.

          On Android, there are thousands of app stores with no approvals. There are almost no $ spent on apps. The incentive is to ship fast, ship a lot, and drain as much valuable data from the user as possible.

          You guys are making excuses for Windows again, assuming it is like the Mac because it copied some parts of the Mac. The thing to look at is te differences. Mac OS X has never had a virus because of specific preventative measures that Apple took and Microsoft did not. Same thing has happened with Android. It has a coat of iOS paint but its heritage is the Sidekick and Java phones, which have all always had viruses and all always have all always been insecure.

          So this all has ZERO to do with “networking code” or API. This is about the old Cecil B DeMille quote that there is a sucker born every minute, and a minute later he is sold an insecure generic computer and insecure generic phone byte most of the technology industry. Not accidentally insecure, but very deliberately insecure. They absolutely know that they have not down the work that Apple has done to secure the devices on behalf of the user.

          • http://www.johncblandii.com John C. Bland II

            You actually had a good point going but you sir are way off base.

            iOS developers do have to pass strict guidelines but none of those guidelines pertain to how data is handled (see Contacts-gate; where your data was willfully and openly sent to 3rd parties and Apple had no way of stopping it).

            Android is wide open where you can launch an app immediately. Yes, there are multiple app stores but there is only 1 true Android store (Google Play) and one from Amazon. The others are practically irrelevant.

            Sure, Macs (my chosen platform) never have viruses: http://securitywatch.pcmag.com/none/295168-the-ten-most-dangerous-mac-viruses.

      • http://twitter.com/shycophante Shyco Phante

        I doubt he was. But it’s fun listening to the podcast on the few occasions when Dan Benjamin tries to coerce Jim into justifying his inane commentary on here. Last week’s Amplified show was a good one as he fell flat on his face discussing Microsoft Surface.

  • Luke

    iOS has the exact same problem (for example, see recent news about WhatsApp). Apple doesn’t force apps to use proper encryption.

    It’s okay to like Apple, but this kind of reporting is just irresponsible for an ostensibly serious news site.

    • http://twitter.com/shycophante Shyco Phante

      There is very little evidence of this being a serious news site. It’s great for confirming Apple rumours, general Apple cheerleading and dismissing Apple’s competitors whenever a new product is on the horizon. Confirming Apple rumours with a quick “yep” is about as deep as the insight goes on here.

      • JohnDoey

        This is, in fact, an “Apple enthusiast’s blog,” genius. I do not ever recall anybody but you complaining about the lack of serious news.

    • JohnDoey

      That is BS excusifying.

      On iOS, there is ZERO INCENTIVE TO SCREW OVER THE USER. It is easy to make money IN LEGITIMATE WAYS. And Apple can ban you from THE ONE APP STORE ON THE PLATFORM if they feel you are screwing over users.

      On Android, there is almost no way to make money with an app. Almost nobody buys apps. The advertising rates are very low. There are no approvals to pass. Nobody to ban you from the THOUSANDS of app stores. The way to make money is by shipping the crappiest, fastest, least-tested app and pull out as much valuable information from the user and sell it to marketing companies. THAT IS HOW ANDROID DEVS MAKE MONEY.

      So just stop already. You are like a child, unaware of the dangers of the world and telling other children to go home with strangers.

  • Zeatrix

    It’s naive to think that “iOS doesn’t have this problem”. It might not to the same extent as Android, but to believe an operating system, any operating system, is without flaws is dangerous.