“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”
-Kevin Mitnick

House of Cards is one of my favorite shows because I feel that it is probably the closest approximation to what real Washington politics is actually like. I firmly believe the reality is even more frightening than what is portrayed in the show due to rampant corruption (whether “legal” or not through campaign finance law), which has yet to be portrayed, and the fact that Frank Underwood has absolutely no sense whatsoever regarding the power of information.

Frank seems to act entirely based upon things that he and his chief of staff directly see and hear. There is not the smallest hint of gossip. Even in the tiny companies where I have generally worked this concept was not true. People talk. All the time. And then people spread that information. The entire world is basically a giant game of telephone, slowly dissipating information like waves from a pebble dropping into the ocean. Getting that information is the nature of hacking.

The movie Hackers had, at one moment, the closest approximation to what hacking is actually like: not staring at code all night, but sitting on the phone, talking to a dumb security guard and getting him to walk into a locked room and read numbers off of the bottom of highly encrypted equipment. So many brilliant engineers and companies don’t seem to realize that while you might think of every possible technical variable, you will never think of every possible human variable. Not a chance. Yet we spend all of our capital fighting the technical challenges instead of the human ones.

For instance, passwords are a fucking joke. Most information security is a total joke. It’s not that the computer systems are fallible. In fact, they are usually quite good. It’s that people are fallible. Social engineering is damn easy.

In today’s modern world, SSL governs all. It was Netscape’s introduction of SSL with the HTTPS that enabled trillions of dollars of e-commerce to exist. The feel good green with the little lock in your address bar is what allows it to happen.

Orange may be the new black and but green is the new secure.

But do you realize that that same green that kept us secure for so long does not exist inside iOS or Android applications?

There is absolutely no standardized security auditing inside of iPhone or Android applications by the ecosystem. There is not even a little lock to tell you that you are on an HTTPS connection. And if there is, it’s simply a static JPEG put there to make you feel better by the developer and means absolutely nothing. Every single piece of information you enter into that app could be sent over an unencrypted connection without you ever knowing. It could potentially be plucked out of the ether by any number of malevolent parties.

You might as well hire a skywriter and just put all your credit card information, your address, your CVV2, your usernames and passwords, and your social security number into the sky over China or Russia.

That inherently means that every single password ever used within an iOS or Android app is compromised. Same goes with every Facebook, Twitter, Gmail, iCloud, credit card, and banking password you have used on an iOS or Android device. Not to mention that every single chat application and picture sharing app could be sending those same private messages over unencrypted connections despite what they are telling you. Every single credit card and bank account number you have entered into an app may have been recorded by a 3rd party.

I know this because I have been developing iPhone apps since 2009 when SSL was nearly impossible. Back then, we sent all of our data over HTTP because of that reason. We were sending a user’s GPS coordinates over HTTP despite my desperate pleas with our engineers that we use HTTPS. In the end we decided that it was no big deal because the user will never know: because the feel good green address bar does not exist in mobile apps.

Would you ever put your credit card number into a non HTTPS website? Well, how do you know you aren’t when you are in an app? There is no standard to tell you that the connection used is HTTPS much less HTTP at all.

Certifying apps to be secure would be a nightmare for Apple and Google. In order to verify that an application does not use an unencrypted connection, Apple and Google would have to enumerate the compiled binary into every possible permutation, a mathematically impossible task, in order to verify that all outgoing connections are trusted.

Heartbleed made the planet change all of our passwords but why bother when we can’t even verify that apps are sending data in encrypted format with a valid certificate? They might even be sending that new password in clear text or using an invalid or expired certificate. Since 99.9% of users use the same password everywhere, all it takes is one bad engineer or lazy app developer and their entire life is wide open for any hacker to steal.

We’re worried about a tiny buffer overrun in 10 lines of code when all it takes is arp-spoofing and a proxy in a Starbucks and you’re off to the races!

At least when you’re in a web browser, you theoretically know that you’re on an encrypted connection with a verified HTTPS certificate because they put the feel good green into the address bar. Not so within apps. Every two-factor authentication application you have ever used including RSA and Google Authenticator? Compromised. Done. Because there is no chain of trust.

Why are we worried about Heartbleed when there is an entire ecosystem that we use on an hourly basis where we don’t even know if we are using proper HTTPS? Just imagine putting a piece of electrical tape over your address bar and then surfing the internet. You’d be a nervous wreck when it came time to type in a credit card number or your SSN and would probably refuse. Yet we do this every day in the app ecosystem and don’t second guess it.

The good news is that solving this quagmire would be simple. All it would take is a little green light in our status bar to verify that the current app has not used a non-HTTPS connection in the last 30 minutes.

We’ve missed the very first step in internet security on mobile which is consistently and conveniently telling people that what you are sending is actually secure in the first place. The root level signing certificates for SSL are under the biggest lock and key in the world yet we can’t even verify that SSL is being used in the very apps that it is supposed to protect.

I wonder if that’s why House of Cards doesn’t portray Frank Underwood raising campaign funds from corporate donors, because that’s probably where he gets all of his information and money. Because in today’s word, information is the most valuable currency, and you can’t plan for the human variable.

Application developers are the human variable in today’s mobile ecosystem and its security auditing system does not even exist. It’s a nightmare that leaves us all exposed, like peons with no clothes.