More than 80 percent of mobile devices have encryption flaws, while an application written in any of a trio of scripting languages—including PHP, ColdFusion and Classic ASP—are more likely to have serious flaws. Craig Young, security researcher at Tripwire have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire :
“SSL implementation flaws are incredibly prevalent in mobile apps and present grave risks due to the tendency of these devices to use untrusted wireless networks. I believe that a common source of this problem is that developers add logic to specifically disable certain SSL features (namely certificate validation) so that the app can be tested internally without spending money on certificates issued by trusted authorities. This is fine unless the code to bypass certificate checks is not removed before releasing the app for distribution. In my testing, I have identified apps sending everything from phone numbers and email addresses to GMail and other credentials without validating the remote server certificate.