SoylentNews

HTTPS Defects in Dozens of Android Apps Expose User Passwords

posted by LaminatorX on Monday June 22 2015, @02:30AM   
from the opposite-day dept.

darkfeline writes:

http://arstechnica.com/security/2015/06/game-over-https-defects-in-dozens-of-android-apps-expose-user-passwords/

Many Android apps in the Google App store do not properly use HTTPS for logins, thus exposing user passwords.

---

Original Submission

• Re:phone software, yeah, that's usually high quali Re:phone software, yeah, that's usually high quali (Score: 2) by gnuman on Monday June 22 2015, @08:57PM

  by gnuman (5013) on Monday June 22 2015, @08:57PM (#199583)

  Why is it so stupid?

  There are penalties in engineering, if an engineer makes terrible decisions and building/bridge collapses, then they can be liable including imprisonment. When was the last time an engineer went to jail? Why are most residential foundations in North America cracking? Why aren't these "professionals" accountable? When was the last time a doctor went to jail because their patient died?

  Software is not like doctors. Or engineers where you can test strength of every component and know it works. Software is a house of cards, bugs on top of bugs. If you change something at bottom, the entire thing can topple even if the change was 100%. This is why software relies on extensive unit testing and integration frameworks. You can write 100% correct software, that then will crash and burn because someone commented out one line of code.

  https://www.debian.org/security/2008/dsa-1571 [debian.org]

  or because it was compromised by,

  http://news.softpedia.com/news/NIST-Removes-NSA-Made-Crypto-Algorithm-from-RNG-Recommendations-List-438944.shtml [softpedia.com]

  Who is going to hold NSA accountable? What about volunteers? What makes someone a "professional"? And what about the PHB that breaths down on developer "fuck security, we need to ship it NOW"?

  This is why this is a stupid idea. There are millions of developers in this world. We don't need most of them pushing paperwork to comply with some random "rules" just so parts of "Angry Birds" can be written better. Look abysmal state of security in medical devices - and that is a *regulated* field. If they aren't able to fix it in that niche, what makes you think you can solve it in general?

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:phone software, yeah, that's usually high quali (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @01:19AM

  by Anonymous Coward on Tuesday June 23 2015, @01:19AM (#199680)

  There are penalties in engineering, if an engineer makes terrible decisions and building/bridge collapses, then they can be liable including imprisonment. When was the last time an engineer went to jail? Why are most residential foundations in North America cracking? Why aren't these "professionals" accountable?

  Because the problem there isn't shoddy design, its that they haven't been maintained. The government has a responsibility to maintain infrastructure, so they should be the ones in prison when bridges collapse after decades of neglect.

  Parent

• Re:phone software, yeah, that's usually high quali (Score: 1, Interesting) by Anonymous Coward on Tuesday June 23 2015, @08:35AM

  by Anonymous Coward on Tuesday June 23 2015, @08:35AM (#199786)

  Software is not like doctors. Or engineers where you can test strength of every component and know it works.

  Ever heard of unit testing?

  Software is a house of cards, bugs on top of bugs.

  This sadly describes a lot of software written today. But that's not a law of nature, that's the result of incompetent programmers.

  If you change something at bottom, the entire thing can topple even if the change was 100%.

  If you remove the wrong wall from the basement of a building, the whole building can crash. So how that's different to software?

  If your software structure is properly documented, you know what you can change and what you cannot change without the software stack cracking down.

  You can write 100% correct software, that then will crash and burn because someone commented out one line of code.

  Given that the change was to remove undefined behaviour, I don't agree that the software was 100% correct. The "fix" of course was causing the behaviour to be defined, but wrong. In addition, according to this site [taint.org] the SSH authors were not reachable to ask about it; another thing that would be covered by proper standards (indeed, arguably such parts as ensuring proper reachability — within the limits of reasonable effort, of course — are even more important than standards about the actual code).

  Who is going to hold NSA accountable?

  Well, three letter agencies break the law all the time, so that's not an argument … but if someone has to lose real money because of their actions, the pressure to actually hold them accountable will be much larger (remember, big companies fuinding the politicians will not like being at financial risk).

  What about volunteers? What makes someone a "professional"?

  If you enter contracts about doing the work, you're acting as a professional. If you ask for money for your product, you're acting as a professional.

  And what about the PHB that breaths down on developer "fuck security, we need to ship it NOW"?

  Well, that PHB will then later have to tell his boss why the company has to pay those liabilities. And due to process documentation standards, there will be no question who is responsible.

  Look abysmal state of security in medical devices - and that is a *regulated* field.

  Are there regulations about device security?

  Anyway, you might be right in claiming that it is a bad idea; I certainly didn't do an extensive analysis of the pros and cons. But a bad idea is not the same as a stupid idea. And I keep claiming that the idea is not stupid.

  Parent