More than 80 percent of mobile devices have encryption flaws, while an application written in any of a trio of scripting languages—including PHP, ColdFusion and Classic ASP—are more likely to have serious flaws. Craig Young, security researcher at Tripwire have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire :
“SSL implementation flaws are incredibly prevalent in mobile apps and present grave risks due to the tendency of these devices to use untrusted wireless networks. I believe that a common source of this problem is that developers add logic to specifically disable certain SSL features (namely certificate validation) so that the app can be tested internally without spending money on certificates issued by trusted authorities. This is fine unless the code to bypass certificate checks is not removed before releasing the app for distribution. In my testing, I have identified apps sending everything from phone numbers and email addresses to GMail and other credentials without validating the remote server certificate.
SSL implementation failures can also extend beyond exposed information by allowing network level adversaries to inject malicious content into vulnerable applications. This can be a powerful infection vector as JavaScript running within an app may not always be bound to the same restrictions as it would within a browser due to variations on how the same origin policy is applied.”[/su_note][su_box title=”About Tripwire” style=”noise” box_color=”#336588″]