Is Your Application Secure?

If you’re looking for a way to make your applications run more efficiently and save the battery of your end users, you might want to visit the AT&T Developer Program Application Resource Optimizer(ARO). The ARO is a free tool that measures the network activity of your mobile application and grades you against 13 best practices that will speed up your mobile apps. This alone is reason to test your mobile app with ARO – since speed and efficiency should be hallmarks of any mobile app.

Today, I’d like to tell you about another reason to use ARO. This one will not speed up your app, but MAY save you from an embarrassing security incident.  When issues with improper data usage arise in the press, it is generally not good news for the application owner.  Are you handling your customers’ data properly?

I’ll show you two examples of applications where ARO found major security lapses in the data being transmitted:

1. You’ve got (my) E-mail

Sending sensitive information like passwords in the clear.  Sensitive customer information should NEVER be sent without encryption.  However, Here is a screen shot of data that I took in a recent network trace:

Look at the first line. Yes, this is my e-mail address (LOGIN) and my password (inside the quotes).  Yowzers! What if this account had all of my personal details in it?  Luckily, this is a test account with more spam in it than the canned meat aisle at the grocery store.  All it takes is one bad guy intercepting this data to wreak havoc on your customer.  Obviously, this is not a good idea, and should be avoided.

2. You take the high road, and I’ll take the low road

I was speaking to a developer who mentioned that I would not be able to see any of their data, since it is all sent in a secure https websocket.  We ran the test anyway. What I discovered was that the data that was supposed to be secure was being sent under regular http without any encryption!  Both connections ended in the same place (the encrypted road, and the unencrypted road), but the data was taking a different route than expected.   Luckily, this app was not transmitting banking data of customers, but the developers were still surprised by my findings.



Here is a screen shot from the ARO tool for scenario #2.  In this case, the websocket packets are colored in green, and the file that is SUPPOSED to be in that websocket is in gray.  Companies who deal with sensitive information should utilize ARO (or other tools like ARO) to ensure that they are not jeopardizing their customers’ data.

Running your app through ARO is a simple test, and you owe it to your customers to make sure that the data you are using is being transmitted securely.

What resources are you using to track and ensure the security of your apps?
Doug Sillars Principal Technical Architect AT&T About Doug