Stories
Slash Boxes
Comments

SoylentNews is people

HTTPS Defects in Dozens of Android Apps Expose User Passwords

posted by LaminatorX on Monday June 22 2015, @02:30AM   Printer-friendly
from the opposite-day dept.

darkfeline writes:

http://arstechnica.com/security/2015/06/game-over-https-defects-in-dozens-of-android-apps-expose-user-passwords/

Many Android apps in the Google App store do not properly use HTTPS for logins, thus exposing user passwords.

Original Submission

 
This discussion has been archived. No new comments can be posted.
HTTPS Defects in Dozens of Android Apps Expose User Passwords | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday June 23 2015, @08:35AM

    by Anonymous Coward on Tuesday June 23 2015, @08:35AM (#199786)

    Software is not like doctors. Or engineers where you can test strength of every component and know it works.

    Ever heard of unit testing?

    Software is a house of cards, bugs on top of bugs.

    This sadly describes a lot of software written today. But that's not a law of nature, that's the result of incompetent programmers.

    If you change something at bottom, the entire thing can topple even if the change was 100%.

    If you remove the wrong wall from the basement of a building, the whole building can crash. So how that's different to software?

    If your software structure is properly documented, you know what you can change and what you cannot change without the software stack cracking down.

    You can write 100% correct software, that then will crash and burn because someone commented out one line of code.

    Given that the change was to remove undefined behaviour, I don't agree that the software was 100% correct. The "fix" of course was causing the behaviour to be defined, but wrong. In addition, according to this site [taint.org] the SSH authors were not reachable to ask about it; another thing that would be covered by proper standards (indeed, arguably such parts as ensuring proper reachability — within the limits of reasonable effort, of course — are even more important than standards about the actual code).

    Who is going to hold NSA accountable?

    Well, three letter agencies break the law all the time, so that's not an argument … but if someone has to lose real money because of their actions, the pressure to actually hold them accountable will be much larger (remember, big companies fuinding the politicians will not like being at financial risk).

    What about volunteers? What makes someone a "professional"?

    If you enter contracts about doing the work, you're acting as a professional. If you ask for money for your product, you're acting as a professional.

    And what about the PHB that breaths down on developer "fuck security, we need to ship it NOW"?

    Well, that PHB will then later have to tell his boss why the company has to pay those liabilities. And due to process documentation standards, there will be no question who is responsible.

    Look abysmal state of security in medical devices - and that is a *regulated* field.

    Are there regulations about device security?

    Anyway, you might be right in claiming that it is a bad idea; I certainly didn't do an extensive analysis of the pros and cons. But a bad idea is not the same as a stupid idea. And I keep claiming that the idea is not stupid.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   1