With recent revelations from the RSA Security Conference highlighting gaping security holes in iOS8 as well as pointing out that many Android apps don’t perform proper SSL validation, one has to wonder is their mobile data safe anywhere?
Amit Yoran, President of the RSA kicked off their company’s annual conference with a scathing commentary on the current state of security in the software industry calling our current mindset “Living in the Dark Ages”.
We are living in the Dark Ages of security. We cling to outmoded world views and rely on tools and tactics from the past, and yet we are surprised to find ourselves living in an era of chaos and violence. We must cast off the past and enter an Age of Enlightenment by pursuing greater visibility into and understanding of our digital world. — RSA Conference Keynote
According to the Computer Emergency Response Team, 22,000 Apps on Google’s Play Store including Kaspersky and Webroot don’t validate the authenticity of certificates that they use to secure communications to back-end servers. This means that millions of users are vulnerable to certificate spoofing or using certificates that have been revoked by trusted certificate issuers. To make matters worse, the checking of validation for SSL certificates is turned ON by default by Google and has to be turned off by developers. CERT analyst Will Dormann created a web proxy to test for the SSL validation and then sent an email to all of the developers of apps who failed to do the validation. To date, only 0.1% of those developers notified have fixed their apps.
Skycure, another security analyst also announced at RSA 2015 a major hole in the SSL processing in iOS8 that allows for malicious hackers to create an infinite reboot loop in iOS8 devices with no interaction from the user themselves. Dubbed the “no iOS Zone”, this vulnerability works by sending malformed SSL certificates to an iOS8 device as part of connecting to known WiFi hotspots such as “attwifi”, which in turns sets the OS into a reboot loop.
Microsoft certainly has had its share of security issues in the past and Internet Explorer has caused recent problems on Windows Phone 8.1 with passwords being made visible via search and Cortana.
With so many mobile phones in the world, and so many exploits, how do you decide which mobile OS to trust? Will the popularity of iOS prove to paint a giant bulls-eye on the back of every iPhone and iPad? With Google losing control of all of the various versions of Android in the market and developers willfully lowering security barriers, do we trust the open source community of Android to save us? Or does the relative obscurity of Windows Phone make it a safer bet than ever before? And what about Windows 10 for Phones? Can it take advantage of the years of beating Windows has taken to provide safe haven for our mobile data? Tell us what you think in our poll below