Many mobile application developers are deliberately disabling secure HTTPS protections when sending data from a user's browser to the server, often leaving sensitive data open to interception and compromise by attackers in the process.
One reason appears to be to facilitate the delivery of ads via the applications, a new study by Symantec reveals.
Symantec recently analyzed hundreds of thousands of iOS and Android mobile apps released over the past five years to Apple's App Store and Google Play. The exercise showed some 7% of iOS apps and 3.4% of Android apps intentionally break the green padlock that indicates a secure communication channel between the user's browser and the server. Symantec found such apps to be actively sending data to insecure network servers and disabling SSL validation.
Kevin Watkins, principal security researcher at the Symantec Division at Broadcom, which owns the security vendor's enterprise business, says it's not entirely clear why some app developers are intentionally breaking encryption protections and sending potentially private data via insecure SSL connections. "It's hard to say, but [it's] something we are looking into as far as post-research," Watkins says. "We did find a lot of cut and pasting [of] code and classes by app developers as well as guidance from ad networks to disable the locks."
For example, some software development kits — including Google's — explicitly require apps to disable a network security available in iOS 9.0 onward called App Transport Security (ATS) that is designed to prevent insecure network connections. Apple itself allows developers to justify disabling ATS entirely for all or some specific types of content and servers if it views the app developers' reasons for doing so. What users likely don't know is that once ..
Support the originator by clicking the read the rest link below.
