Android SSL Problems

Bruce Morton

There have been a lot of articles written recently about Android SSL problems for applications, which were recently reported by German university researchers. My issue? Nobody is telling the users what to do about the problems.

This reminded me of a discussion I had where it was stated Android to iOS today is like PC to Mac.

In the old days, Apple came out with the Macintosh. It had a GUI and Apple provided the hardware, operating system and most of the applications. At the same time, Microsoft had DOS and then Windows. The Microsoft operating systems were designed to work on a PC. The PCs were made by many manufacturers. Microsoft had their own applications, but so did many other vendors.

In the end, the openness of the PC model was better and largely accepted in the market. This also made the PC a target to attack; it was a larger target and the openness dropped the level of security.

In today’s mobile era, Apple introduced the iPhone. Apple provides the hardware, operating system and some applications. It looks like Apple has improved their process as they have many other suppliers also providing applications. Apple has more developer rules, so the applications need to meet certain criteria to be made available through the App Store.

Conversely, Android is an open-source project with Google playing the key role. The hardware that uses Android is made by many suppliers. The applications are wide open to many suppliers and appear to have fewer criteria to be made suitable for use on Android. With this model, it looks very much like the PC model — and Android is steadily gaining market share because of it. This open model allows the applications to do things that they can’t do on the more closed iOS platform.

All this to say, there are some security problems with Android applications. So what did we expect? If the controls are low, how do we expect high quality?

What should users do? These phones can do some cool stuff. You can talk with them, send emails, browse the Web and use thousands of applications. But who says the cool stuff is secure? I’m sure there is much more developer time invested in coolness than security.

Users are advised to be careful when using mobile device for anything where security needs to be a priority. Users should:

  • Use different passwords for each application
  • Don’t use applications for secure needs unless they have been reviewed and approved (either corporately or by a trusted security researcher)

Along with the above advice, users should secure their mobile device by doing the following:

  • Have the mobile automatically lock and require an unlock passcode
  • Review and adjust application privacy settings
  • Review location and data sharing permissions
  • Be careful what links you click
  • Enable remote locking, wiping and tracking of devices
  • Do not jailbreak or root your device as a large percentage of malicious applications can only run on these types of devices
Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation