Reports of the flaw have captured headlines, but they also raise a number of questions about mobile app security
The news of the security flaw in Apple’s SSL/TLS implementation was reported in the Globe and Mail’s Report on Business today (Feb. 27) and in many other publications over the past few days.
A few nuggets of information: it’s been there for 18 months, it has affected multiple products, it was caused by a single line of code that was buggy, it was only exploitable if you had access to the wireless network that was being used (such as free WiFi in a coffee shop), and a fix was very easy to produce (and has been sent out to customers already).
Sum total: a rapid and effective response to the discovery, but also some dubious checking and testing of the original software. The fact that it occurred resulted in the article headline including “fears of a damaged brand.”
This brings a few questions to mind:
- Has Apple’s popularity gotten to the point where hacking it’s software is worth the effort?
- How easy is it to miss this type of error during the testing process? Is it even possible to actually test every possible flaw?
- What happens to people who don’t download software updates very often?
- What about older devices that may not be current (such as my Apple iPad V1 and iPod Nano)?
- How much should a company like Apple say to people when this type of problem is detected? Is silence golden?
- Should this type of issue really affect the company and its stock? Would people look for these flaws simply to take advantage of the stock market changes it might cause?
- Given the control Apple has over its ecosystem, if this type of problem can still happen, then what does it say about other platforms?
It certainly does beg the question – how serious is this type of problem really? Is this something we will always have to live with? What happens when the Internet of Things arrives and our refrigerators and toasters end up with software glitches? What might happen in SaaS-based cloud systems when we are generally assuming the service provider has done all the testing that is needed?
These are just a few of my thoughts. What do you think?Related Download
Sponsor: IBM Canada Ltd
The New Workplace: Supporting “Bring your own”
“Bring Your Own Device” (BYOD) and the “consumerization of IT” have taken hold in the enterprise, and employees using their own personal smartphones and tablets for business have become pervasive.