iPad my web security recommendations…Not!

June 11th, 2010 | by Mark |

Sometimes this is just too easy! In my last post I whined that AT&T has pushed testing to the back burner by imposing a penalty for bandwidth-hungry applications. I postulated that they would create a situation where app creators would cut corners in order to cut bandwidth requirements, all in an effort to entice customers to buy their applications. Well, how can we expect the application writers to be security-conscious when AT&T can’t even toe the line?

 

Come on, a basic web application flaw was discovered that allows attackers to extract email addresses by looking at the protocol that iPad uses to query the AT&T network about a customer’s data accounts. This was an effort to make it easy for iPad owners to stay within the limits of their account fees. The “researchers” discovered a basic flaw that would have been obvious to anyone testing the application.

 

Granted, all it did was reveal email addresses but come on! A review of the protocol and a few simple tests would have revealed this before the site went public. I have to ask if this is the kind of reasoning that the developers at AT&T are using. The question is, what other kind of protocol failures can we expect to find as we move deeper into mobile land?

 

Some references….

 

http://news.yahoo.com/s//nm/20100611/tc_nm/us_att_fbi

http://www.examiner.com/x-46117-Long-Island-iPad-Examiner~y2010m6d11-FBI-probes-hack-of-ATT-accounts

 

  1. 2 Responses to “iPad my web security recommendations…Not!”

  2. By slynn on Jun 16, 2010 | Reply

    Obviously we are talking about the difference between code & protocol testing vs. QA & User Functionality testing. If I hear you Mark, you believe AT&T, and some others, are tossing the FULL and RESPONSIBLE testing aside to make a BUCK!

    Although this really isn’t a surprise, perhaps more comapnies will consider the proper testing, such as the Safety to Deploy and Fit for Purpose testing offered @ TSC (The Security Consortium).

    “Requiring responsible products!”

  3. By Mark on Jun 16, 2010 | Reply

    This just keeps getting better. I think they’ve abandoned any notion of testing at this point just to keep up. It seems that the AT&T site not only crashed and burned, it also exposed private information to those trying to register. http://tinyurl.com/23aqadk

    Unreal! How do you plan for a rollout like this without a bit of responsible stress testing? I get the feeling that they were so bent on dealing with the huge amount of money they were going to make that they just forgot about being concerned for their customers and their private information.

You must be logged in to post a comment.