This last summer I created and published a simple Android application called “Picture Sender.” The application is simple to use. The users are asked to enter a “to” email address, their email address, and their password. With that information every time they take a picture it is sent via email. Personally I did not think the application was useful, but Android owners downloaded it. Not long after I published I realized I could have programmed it to be malicious. Easily the application could be slightly changed to send me each user’s email account and password without their knowledge. I first thought this was pretty cool, but then I was scared of the damage I could do. Of course I did not update the application to do this. My integrity didn’t let this go beyond a simple thought, and besides is an email address and password worth anything? This experience forced me to realize any information I entered into an application with internet permissions could be sent anywhere.
After reading The Cuckoo’s Egg I couldn’t help but reflect back on the security risk of using my application. One wise user saw the security risk of my application and left a comment mentioning the danger. To my surprise this negative review only had a minor effect on the steady number of new downloads. Today the application has received over 4000 downloads. That’s 4000 email addresses and passwords I could have in my possession. The Cuckoo’s Egg gave me a new insight of the value of an account and password. The hacker in the book spent a year repetitively trying to get users’ account information. He knew that one user name and password to one system would often give him access to other systems as well. A Google account alone has access to several other abilities including a purchasing site. If the account owner used Google checkout I could make purchases using their credit cards. I also imagine many users of my application set the same user name and password for sites like Amazon and PayPal as their email account. With this enlightenment I was again scared of the ability to steal I had stumbled upon, but I was more worried by the crimes others might do. If I had accidentally set myself up to steal thousands of dollars there could be criminals out there that purposely set themselves in positions to acquire our information to steal our money.
After reading The Cuckoo’s Egg I couldn’t help but reflect back on the security risk of using my application. One wise user saw the security risk of my application and left a comment mentioning the danger. To my surprise this negative review only had a minor effect on the steady number of new downloads. Today the application has received over 4000 downloads. That’s 4000 email addresses and passwords I could have in my possession. The Cuckoo’s Egg gave me a new insight of the value of an account and password. The hacker in the book spent a year repetitively trying to get users’ account information. He knew that one user name and password to one system would often give him access to other systems as well. A Google account alone has access to several other abilities including a purchasing site. If the account owner used Google checkout I could make purchases using their credit cards. I also imagine many users of my application set the same user name and password for sites like Amazon and PayPal as their email account. With this enlightenment I was again scared of the ability to steal I had stumbled upon, but I was more worried by the crimes others might do. If I had accidentally set myself up to steal thousands of dollars there could be criminals out there that purposely set themselves in positions to acquire our information to steal our money.
No comments:
Post a Comment