I came across an astonishing blog post earlier this month detailing some of the disastrous consequences of relying on poorly-designed certification programs. Happtique launched a mobile app certification program to:
[…] help providers, patients, and others easily identify medical, health, and fitness apps that deliver credible content, contain safeguards for user data, and function as described.
This type of certification is a necessary part of a secure system, and companies like Happtique do play a valuable role in certifying software in domains with their own unique security concerns. After all, it is unreasonable to expect that companies like Apple and Google — with millions of applications on offer — will be able to understand the specific security and privacy concerns in every application domain. As sound as the general idea may be, however, Happtique’s implementation was riddled with problems.
The researcher used a jailbroken iPhone and downloaded two “certified” applications, uncovering a laundry list of security and privacy violations:
- Passwords stored in the clear
- Using HTTP to transmit sensitive data rather than HTTPS
- Unencrypted PHI (protected health information) stored on the device
- Lack of clarity around which software version is certified
- No jailbreak detection (obviously)
As troubling as these issues are, they all point to a larger problem: a lack of well-defined processes and tests for the applications being certified. Those processes should have caught these (very basic) security problems. In this case it appears that outsourcing some of the testing may have contributed to the lack of well-defined processes.
In order to rely upon any certification, you need to understand exactly what the certification criteria are — what has been tested, to what degree, and importantly what has not been tested. Is the program based on self-certification? If so, what are the consequences of failure to comply? If the program uses a third-party review, what aspects of the application are tested? Without knowing the answers to these questions, it is difficult to attach any real meaning to the label “certified”. In the Happtique case, it appears to mean very little indeed.
No certification program can detect all possible security problems, but when the data in question is personal health information the bar should be set much (much) higher.