FireEye has some new research that has found that of the free apps with over a million downloads, 88% use some cryptographic functionality provided by the Android platform and 62% of these have cryptographic vulnerabilities. What this means is that while the authors and the end users of these apps might think data is secure, it’s easier to decrypt the data that they would expect.
There seems to be trend at the moment for researchers to spot vulnerabilities, on all platforms, but not really explain how developers can prevent or fix such problems. Many of the cryptographic concepts are beyond all but the most experienced (or highly curious) developers. While developers of highly secure apps might have the time to look deeply into encryption, the average casual developer needs examples or libraries on which they can base their work.
As it happens, a library java-aes-crypto became available this week that’s a simple Android class for encrypting and decrypting strings, aiming to avoid the classic mistakes. There are also more libraries mentioned in my article on Encrypting Your Sensitive Data. I also have tips on Taking Care with Encryption. You might also like to read Tozny’s post on Making Better Mistakes
- Mobile Threat Report
- Learn About Mobile Dark Social
- Security Incentive For Device Upgrade
- Web Access From Devices
- Majority of Top Paid/Popular Apps Have Been Hacked
- Android Binder Subversion
- Another Android WebView Vulnerability
- Same Origin Bypass and Android Apps
- The Web vs Apps Outcome
- Mitigating Tap Jacking
- Listening in on Android Apps
- Severe Security Flaws Found In Security Apps
- Android Security Perfect Storm Pending?
- What You Ought To Know About Android WebViews
- How To Write Secure Android Apps
- Android vs iOS Security