Let me tell you about the birds and the bees. There’s an app for that. Actually – there’s an app for anything it seems for IOS and Android devices. I sold my soul to the devil a couple of years ago when I had an buyout offer on an iPhone 4 I used at work. At my current job I also sport an Android based phone. I like to keep my private life separated from work – hence two phones. A colleague of mine likes to test out various apps during the weekends and often reports back to me what he thinks works and what doesn’t. To me this just flow in and out my head without touching my brain. I have a reason for not paying attention. I don’t care and I do not trust apps.
I find it awkward using apps because I have no way to find out if the app is safe prior to downloading it. The worst kind are those apps that tries to make my life more efficient by connecting to various online services. Apps that asks for both username and password – it makes me shiver. When staring at the download panel or screen they all seem fine. But – nowhere can I find if they transmit my credentials using secure sockets. It would be darn easy to sniff out the credentials if they don’t use such sockets. Further – how can I trust that they will not abuse my credentials? I would imagine it would be easy to slip in a bit of malicious code or pass on the data to an external entity without me knowing. Sure, I might be paranoid regarding this. On the other hand – it’s my profession. To detect, report and take actions.
A couple of months ago the local newspaper reported that a 16 year old whizkid were quite successful in churning out apps. He was so successful that he wanted to fund his own company. This scares me. When I was 16 I read C++ books to kick start my programming career. God knows I wrote crappy code – but hey, I learnt to make software. Later on I chose to study computer science in order to make my software better. I learnt patterns, what to do and what not to do. Should I trust a 16 year old boy to write good, clean and secure code? A boy without formal education?
Even experienced programmers dabbling with apps make errors. A company I know of has several senior engineers making apps. They got no formal training but they’re trying their best. Sadly, they churn out badly written apps. I don’t know who’s to blame. Should I blame the managers for giving the programmers too little time? Should I blame the customer for not caring about security? Or should I just blame the programmers for not thinking security? Come on! They actually sent several payment apps to the market without securing their sockets. A feast for sniffers indeed. It ain’t no better that the remote REST API only accepted username and password sent using GET request either.
The users are consumers. They consume whatever served without giving any critical thought. So what if the credentials is scattered all around? I ask myself “what can we do to raise their awareness?”. Maybe we should specify how the app communicate with other services and how secure this is already on the download screen? We should also raise better programmers, customers and project managers. For that I got no answer except education, give more time and inform the customers about side effects.
For now – I will continue my distrust regarding apps. All in all they’re just the same as .exe files. We usually don’t know their quality either. But still. There’s an app for anything. Even apps that displays websites that offers what the app was set out to serve in the first place. Using insecure sockets.