Why some apps you’re using are putting you in danger

Experts urge start-ups to put more focus on security.

It’s an electric place—the start-up city at the Collision tech conference this week in New Orleans. Hundreds of hungry tech business launchers work elbow-to-elbow, trying to catch the eye of an investor and make it big time.

Over the buzz of a thousand voices, a start-up CEO is singing the praises of his product—an app that he says can bring people together. High on the priority list, he says, is security.

“The first thing that we consider is how to keep people safe,” he said, leaning forward in his chair. “I wasn’t going to deploy an app that would put anyone at risk.” 

But the security he describes for his app—already launched—does not meet all of the standards that cybersecurity experts at this very same conference recommend. No encryption, no testing for security holes that could let attackers in, and data out.

Encryption, used to disguise data so bad guys can’t get it, might slow his app down, he said. And testing? After he gets more funding.

“When funding is secured, there will be a massive security push. We’re going to become paranoid,” he said. “We’ve architected to mitigate it as much as possible, but I plan on having some black-hat ninja m****r-f****rs actually do a serious security analysis and give us real actual change to affect the most secure application we possibly can for users.”

Launch now, security later. Some cybersecurity experts say that’s a common strategy with start-ups— and a bad one that leaves people using apps at risk.

Can you trust that these app developers are making apps that will protect you and your information?

“No,” said Mike Janke with cybersecurity company Silent Circle, who spoke at the Collision conference. “No, you can’t.”

Burning cash

Why would a company put your security on hold?

“From a start-up’s point of view, they don’t want to spend a lot of time on security because they are just trying to get some market traction,” said Chris Wysopal with cybersecurity company Veracode, who also spoke at the conference.

“They’re trying to complete their product, get it into customers’ hands, get feedback, iterate,” he said. “Anything that slows that down is very, very expensive. In a competitive marketplace, you’re burning cash.”

But this “cost-saving” measure—avoiding security—could become very expensive later, Wysopal and Janke said.

Wysopal calls it “security debt.” And it could lead to losses beyond a company’s bank account.

From the start

You need to build security into your app from the beginning, because it is hard to add it down the road, according to Janke and Wysopal.

“Security is not a feature that you add later. It’s an architectural underpinning of your foundation,” Janke told Archer News.

“Before you get along too long, you’re going to need to rip some guts out and go back to it,” he added. “You either do it now, or it’s twice as expensive six, eight, nine months from now.”  

WhatsApp

He cited the example of WhatsApp, an instant messaging service with about a billion users. A former Yahoo employee started up the company in 2009, and it has since been acquired by Facebook.

But WhatsApp had a number of security issues, and eventually had to do some serious re-working of its system, Janke said.

“WhatsApp was never secure,” he said. “At that stage, you have to rip out a bunch of stuff and bring it down to the architecture of it so that it’s secure.”

But even this large, well-funded company struggled to fix its security problems, he said.

“It took them a year and four months. And that’s an example of an unlimited budget with unlimited engineers,” explained Janke. “God knows how much it cost.”

There can be other costs, too. A data breach could be expensive to fix, and costly in terms of reputation.

“You can get to a great place [without security], but you’re vulnerable to tanking the whole company,” said Janke. “You won’t have any money if you get breached. Either spend today or lose tomorrow, your choice.”

My app is safe

Some app makers may believe their apps are secure, but have not tested them to verify.

The result—apps in use with serious security gaps.

“I see that all the time,” said Wysopal, whose company does security testing.

In one case, a hospital—one of the five largest hospitals in the country—created an app for patients to communicate with their doctors. But the app had a hidden flaw, he said.

“It was supposed to be communicating to two sites at the hospital,” he said in one of his talks. “It was communicating to five other sites that they didn’t know about, and one of them was in China.” 

It was a secret door, siphoning out patient and doctor information. “Once that data goes to that other site, it’s gone,” he added. “That ship has sailed.”

My app is encrypted

An encrypted app doesn’t always mean a safe app.

“About 50% of mobile apps we look at mess up their encryption,” Wysopal said.

The app makers may think they have encrypted correctly because one side is encrypting and the other side is decrypting, he explained. But if you don’t test it, he said, you won’t know if the cryptography actually works, or if it actually lets attackers in.

“In health care software, the number one thing we find is broken encryption,” he said.

Saving the apps

Wysopal and Janke encouraged the hundreds of start-ups at the conference to take security seriously.

“You need to think of security up front, before you build your application, at the design stage,” Wysopal said. “Say, ‘I need to come up with a way to authenticate users and a way to authorize what users do what. How can I build my application such that the attack surface is minimized?'”

Include security at every step of the way, he added. The hospital that flunked its app security test had hired someone else to develop the app, and that person used flawed components.

“You pick someone who’s going to do it really cheaply and really fast. They used off-the-shelf components that were free,” he told a group during one of his talks. “If you’re building your own app or having someone else build it from off-the-shelf components, you need to do some kind of testing.”

A question of security

Start-ups may also get a push from investors, who are starting to ask about security, according to Janke.

“If you’re pitching, and you’re standing in front of a VC [venture capitalist] that says, ‘What are you doing to secure this? Is your database encrypted?’ They’re not going to fund you, so you can’t afford not to,” he said. “’If I’m putting in $500,000 or a million, and you don’t have security and you’re breached, my money is gone.’”   

He suggested that start-ups that are short of funds for security try to work out a plan with security companies, for example, offering them 3% ownership in the start-up to provide security help, or some other creative approach.

“There’s always a will and a way,” Janke said.

“Everybody needs it”

That new CEO from start-up city is aware of the dangers of a poorly-protected app.

“Companies will steal our data,” he said, “to perform all sorts of nefarious activities, and we recognize that threat.”

His app, launched two months ago, has only a handful of users. Eventually, he wants to see it go world-wide. But, like many start-ups, like many apps already in use, this app is not fully protected, and no one has tested it to see if your info is safe.

Cybersecurity? That will come, he said. And hopefully not too late.

“Everybody needs it, and if you don’t, you’re an idiot. If you’re an idiot, guess what happens? You get hacked. Then guess what happens? You lose all your customers. Because you’re an idiot.”