Most mobile app makers do not get security, so using their products is becoming a crapshoot. You never know if you'll get a seven or snake eyes.
The latter is what 4.6 million Snapchat users got recently when the mobile messaging service didn't fix a weakness that a security vendor had warned them about in August. Snapchat's foot-dragging resulted in usernames and the associated phone numbers being published in plain text in a CSV file on a website called SnapchatDB.
As security breaches go, this one could have been worse. No other personal data was taken. Nevertheless, the information that was posted could be used by spammers in targeting Snapchat users.
The breach has drawn the attention of privacy experts, who are calling for an investigation by the Federal Trade Commission. Snapchat's response to the heat is to hire a lobbying firm and work towards "educating policy makers regarding the application's operation and practice."
Rather than spin lawmakers, Snapchat would be better off if it tightened its sloppy security. Gibson Security, which warned Snapchat of the problem last summer, published details of the weakness after months went by with no fix from Snapchat.
Gibson took no part in posting usernames and phone numbers, but the hackers who claimed responsibility said they did it to teach the company a lesson. The file on SnapchatDB did not contain the last two digits of the phone number and the temporary site was up just long enough to draw enough publicity to let Snapchat know it was wrong to dismiss Gibson's warning.
App makers clueless
The incident demonstrates once again that mobile app vendors just don't get it when it comes to security. In November, Hewlett-Packard analyzed 2,100 iOS apps from more than 600 Forbes Global 2000 companies and found that nine in 10 had vulnerabilities.
One of the problems HP found was the failure to take simple steps during the development process to prevent reverse engineering, which is what Gibson did to Snapchat's app.
As a result, Gibson found the weakness in the lookup feature that lets users enter their phone number, so their friends can find their username. The flaw enabled the hackers to easily build the mini-database.
Following the breach, Snapchat posted a blog acknowledging the weakness in its Find Friends feature and said it had recently added "counter-measures" to prevent a similar hack from happening again.
Features vs Security
Misplaced priorities is the reason most mobile app developers fail in security. The focus is on getting features out as fast as possible to build a larger user base.
Making security a key element of the development process requires skill and time. It's much easier to leave users' personal data unprotected and hope no one figures out a way to steal it.
A large portion of Snapchat's user base is under 18 years old, yet that didn't make the company anymore security conscious than other mobile app vendors. Fact is, using mobile apps will continue to be a gamble until the FTC clamps down on the vendors, even those that hire lobbyists.