Is Your Application Secure? Two Examples of Commercial Apps Mishandling Crucial Data
Today, I’d like to ask you about another reason to use ARO. This one will not speed up your app, but MAY save you from an embarrassing security incident. When issues with improper data usage arise in the press, it is generally not good news for the application owner. Are you handling your customers’ data properly?
I’ll show you two examples of applications where ARO found major security lapses in the data being transmitted.
- You’ve got (my) E-mail. Sending sensitive information like passwords in the clear. Sensitive customer information should NEVER be sent without encryption. However, here is a screen shot of data that I took in a recent network trace:
Look at the first line. Yes, this is my e-mail address (LOGIN) and my password (inside the quotes). Yowzers! What if this account had all of my personal details in it? Luckily, this is a test account with more spam in it than the canned meat asile at the grocery store. All it takes is one bad guy intercepting this data to wreak havoc on your customer. Obviously, this is not a good idea, and should be avoided.
2. You take the high road, and I’ll take the low road. I was speaking to a developer who mentioned that I would not be able to see any of their data since it is all sent in a secure https websocket. We ran the test anyway. What I discovered was that the data that was supposed to be secure was being sent under regular http without any encryption!! Both connections ended in the same place (the encrypted road, and the unencrypted road), but the data was taking a different route than expected. Luckily, this app was not transmitting banking data of customers, but the developers were still surprised by my findings.
Here is a screen shot from the ARO tool for scenario #2. In this case, the websocket packets are colored in green, and the file that is SUPPOSED to be in that websocket is in gray. Companies who deal with sensitive information should utilize ARO (or other tools like ARO) to ensure that they are not jeopardizing their customers’ data.
Running your app through ARO is a simple test, and you owe it to your customers to make sure that the data you are using is being transmitted securely,.
(This blog cross-posted from the AT&T Network Exchange Blog: http://networkingexchangeblog.att.com/enterprise-business/is-your-application-secure/)