The Creepy - And Insecure - Side of iOS and Android Apps
As people have noted in the comments, "iOS" (Apple's operating system for iPhones and iPads) is purely the platform Troy Hunt did his research on... but he's really talking about issues with mobile applications.
I'm my unfortunately sure that these type of issues will also be there on apps on Android and probably on other mobile operating systems from Microsoft, RIM, WebOS, etc.
These are application design issues.
The article starts off with the incredibly inefficient case of stuffing large images from "regular" websites down the mobile pipe to the phone... and then simply "resizing" them with "width" and "height" attributes. This is just laziness"efficiency" on the app developers part in that they are simply "repurposing their existing content" for a mobile audience, i.e. it's too much work/effort for them to create and track a separate smaller image for a mobile environment so they will just send you the larger one and eat up your data plan bandwidth.
But Troy Hunt goes on to talk about far worse issues... he calls out the analytics sent back to Flurry.com in particular (and there are other similar players out there) that report what the user is doing. I agree with Troy Hunt's comment that where this gets "creepy" for me is not so much reporting data back for one application, but rather that all this data is being aggregated across applications inside of Flurry's databases.
And then the truly scary issue of how little security some applications use to protect login credentials (i.e. NONE!) or to protect confidentiality of the information people are seeing.
As Troy Hunt points out with regard to the Facebook app for iOS:
Unfortunately, the very security that is offered to browser-based Facebook users is not accessible on the iPhone client. You know, the device which is most likely to be carried around to wireless hotspots where insecure communications are most vulnerable.
Mobile devices are being brought to the worst possible WiFi environments... and per this article seem to have some awfully insecure apps running on them.
Every mobile developer needs to read this article - and start looking at how to secure their apps!
P.S. Thanks, Troy Hunt, for writing this piece!
- » Unearthing strategic full fibre opportunities as 5G looms: A UK analysis
- » Attorney General calls on the US and its allies to invest in Huawei rivals
- » LG: Coro-no way we're attending MWC over coronavirus fears
- » Bipartisan US delegation express Huawei concerns during Munich Security Conference
- » Why communication service providers are having to embrace AI apps