Thursday, 25 October 2012

Who the Hell is Mallory?

Via the BBC, worrying news for Android users like me:
Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code
that is potentially vulnerable to MITM [Man in the Middle] attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data.
Now, I don't use my Android phone for anything sensitive.  Further, the Android marketplace is open, so you'll have good and bad software there; in that sense there's no surprise that some of the apps have security flaws.  I've only skimmed the relevant paper, but I didn't see any list of who these troublesome programs were from.  The authors do observe that the insecure apps include mainstream ones, with tens of millions of installations, but at first glance this seems to be what you'd expect in an unmonitored market.  In short, caveat emptor and be careful with your data.

What I found most confusing, though, was the title of the paper: "Why Eve and Mallory Love Android".  Eve of course is the common name for the eavesdropper in cryptographical circles, but I've never heard of Mallory, hence my question above!  Some wiki-ing gives the answer (the malicious attacker) and a long list of names that makes it clear I know much less about cryptography than I though...

No comments:

Post a Comment