Mobile money is the future, or so I’m assured by research into the use of Near Field Communications (NFC) systems, which says most of us will be using our smartphones to pay for stuff within the next four years.

First things first, mobile money is not new. And, no, I’m not talking about the fact that money itself is pretty damn mobile when you think about it — what I’m talking about provides a system whereby you don’t have to carry real cash and can instead just point an easily carried payment device at a retailer.

Most of you will immediately know what I’m talking about when I mention the name of this bit of wonder kit, this device that has revolutionised retail, that does away with the need to carry cash and that just about everyone is comfortable using: it’s called a debit card.

For the small business it’s a no-brainer as the payment mechanisms are already well established and the associated costs already factored into the business plan. There are precious few compatibility problems, everyone knows how to use it and almost everyone has one. Sure, even with chip and pin there remains a fraud risk but, again, that’s a known entity and most businesses will be aware of the procedures required to mitigate the risk and deal with any fraud that should occur. And, my debit card does not need a battery, how about yours?

Debit cards

Which brings us neatly to the problems I have with this concept of the majority of us jumping from cash and cards to smartphone money and NFC systems. Debit cards have been around since the early eighties and, in 2011, banks still issue cheque books. OK, that is about to change over the next year or two as a result of fewer people actually using cheques any more, but it has taken more than 25 years to get to this point.

Debit cards have been around since the early eighties and, in 2011, banks still issue cheque books

If we are to believe the NFC hype then the general public acceptance jump from debit card to smartphone as payment method will take less than five years. That, frankly, is very hard to believe, even for an evangelistic and unashamed geek like me. (Of course, the fact that the research suggesting this was commissioned by Monetise, a “global enabler of mobile money services” does nothing to help me accept the conclusions.)

But let’s take a closer look anyway. I am informed by this research that the number of people in the UK using their mobile phones to manage their money (access bank accounts, make purchases and perhaps pay some bills) has doubled in just two years. Sounds impressive, but it has doubled from 5% to 10%, so hardly anything to get really excited about.

The research insists that the number will go past 50% “in the next few years as banks and retailers take advantage of the widespread adoption of smartphones, apps and 3G phone networks to deliver new services”. OK, given a rather huge dose of benefit of the doubt I will go along with that. Where I think it all goes tits up is when it insists that a major factor will be “the emergence of ‘tap-and-go’ payments using Near Field Communications”.

An emerging trend?

The report, Emerging Trends in Mobile Banking, discovered 57% have used mobile banking more frequently in the past year than they did in the previous year, 68% find banking on the handset easier than over the internet, and 70% are very keen to use their mobile to buy things. Really, very keen? That may change when they get to the shops and discover the mobile phone battery is dead. Or the shop in question doesn’t accept Nokia money, only Motorola money. “You want to pay by iPhone sir? There’s a 1.5% handling fee for that as Apple charge us extra” and so on.

I’m not knocking NFC just for the sake of it; I can see huge potential for the technology. But to suggest that most of us will be flocking to pay for stuff with it in just a handful of years from now is folly of the first order. Until a smartphone is as small as my debit card, has the same battery life and can be pretty much guaranteed to be accepted everywhere I go, I think I will be sticking with my flexible friend…

Twitter is having another one of those ‘I’m Spartacus!’ moments. The last one was when the powers that be decided someone making a joke post about blowing up Robin Hood Airport was a potential terrorist and prosecuted the poor sod.

The Twittersphere responded by retweeting the posting in question, on the basis that the police couldn’t arrest everyone. The same thing has now happened following the ridiculous situation where everyone and their dog knows the identity of a footballer who stands accused of doing what footballers seem to do when not kicking a ball around and earning obscene amounts of money.

An MP even used his Parliamentary privilege to suggest the footballer in question was Ryan Giggs. Something the masses on Twitter have been doing for the past fortnight or so, with tens of thousands of tweets and retweets naming the Manchester United player.

Most everyone, including it would appear the Prime Minister, has admitted the situation is such that these super injunctions are dead in the water and need to be looked at again. I say most everyone, as some lawyers who specialise in privacy law (surprise, surprise) think it’s outrageous that people on Twitter have ‘outed’ a poor footballer in this way and have called for every one of them to be prosecuted. Funnily enough, a certain footballer (who I shall refrain from naming) has allegedly instructed his lawyers to chase the Tweeting masses in just this manner.

Will the temptation be to try and control social networks and silence the voices of the tweeting masses?

While High Court Judges are notoriously out of touch with reality, those law makers a few decades younger and who live in the real world can surely not have failed to notice the power of Twitter. Which leaves me wondering which way they will swing: will the temptation be to try and control social networks and silence the voices of the tweeting masses? Or will they realise that free speech and the wisdom of crowds will always eventually expose stupid laws for exactly what they are?

I’m hopeful that it will be the latter, not least as the new Government appointed Twitter Tsar (or to be more precise the Executive Director of Digital Efficiency and Reform Group, Cabinet Office) is one Mike Bracken. While you may not recognise the name, you will recognise the web legacy he has left behind.

Bracken is a founder of the Mysociety Project, perhaps best known for the TheyWorkForYou website. This important site made it easy for ordinary folk like you and I to discover not only how to get in touch with our MP, but also exactly what they had been getting up to, how they voted, what they said in speeches and much more. Bracken has been a pioneering beacon in the world of the online democratisation of politics. As such, surely he would applaud the Twittersphere in helping to expose the daftness of the super-injunction culture that has exploded into the limelight this week?

Mike Bracken was unavailable for comment, unfortunately, so I can only guess that he would adopt a more sympathetic attitude to social networks than many in the corridors of power.  He doesn’t actually start the position until July, and although the fuss may have blown over by then the fallout will most certainly not have vanished. In his own blog  about accepting the new role, Bracken states “I’ve had the great fortune to work with hundreds of digital developers, and I know at heart they want to change the world and improve digital services from the users perspective. Now seems to be the time to give them a chance.”

Let’s hope that changing the world includes users as well as developers…

Unless you have been living in Osama Bin Laden’s old cave, you can’t have failed to notice that Sony is having a bad time of it right now.

First the PlayStation Network is hacked and customer data compromised, and then we discover that the Sony Online Entertainment network has suffered the same fate. There has been plenty written, including some excellent editorial here at PC Pro, covering the what and why of the breach, so there is little point me going over that again.

I’m more interested in how Sony responded after discovering the breach. Did the gaming giant get it right regarding disclosure in this case? Is the Pope a belly dancer?

It was bad enough that Sony took so long to inform customers of the PlayStation Network breach: a week is one heck of a long time. Yet that’s how long it took Sony, one of the biggest entertainment outfits on the planet, to confirm what data had been compromised and get around to informing customers that they might be at risk.

Simply not good enough, Sony. Yes, you need to get your facts straight before going public, but a week when your customers were at potential risk of credit-card fraud and you did nothing?

Ross Brewer, a director at log analysis firm LogRhythm, shares my surprise stating “compromised user accounts were discovered as early as 17 April… yet it has taken seven days to warn users that they are now at increased risk of email, telephone, and postal mail scams, as well as credit-card fraud”.

Simply not good enough, Sony. Yes, you need to get your facts straight before going public, but a week when your customers were at potential risk of credit-card fraud and you did nothing? As William Beer, a director in PwC’s information security practice, points out “the period after a breach is time-critical in terms of communicating with consumers, regulators and protecting reputation” – especially when consumer trust is being tested by the amount of personal information they are expected to divulge and entrust to gain the benefits of an online service. Even the EU Justice Commissioner Viviane Reding has said that seven days “is much too long”.

But that’s not the half of it. It turns out that the Sony Online Entertainment network, which serves PC gamers and saw a further 24.6 million customer details compromised to add to the 50 million on the PlayStation Network itself, was actually hacked first. Sony knew about the hack, but didn’t believe any customer data had been compromised so kept quiet. Big mistake, as it turns out. The reputation of Sony will, in my never humble opinion, have been hurt much more by the creeping revelations of consumer data exposure than the short-term harm of warning customers to be on guard, just in case.

Lastpass sets the example

If Sony wants to know what it should have done, then look no further than the emerging story of a potential hack attack at the Lastpass password management service. The company “noticed an issue” yesterday whereby its logs revealed a network traffic anomaly on a non-critical machine and upon investigation, having been unable to identify the root cause and spotting some matching activity regarding outbound traffic, concluded there was the potential for a hacker to have breached the database and transferred email addresses, the server salt and their salted password hashes.

Rather than keep mum through fear of reputational harm, Lastpass immediately its users and put in place a procedure to force them to change their master passwords. “The potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data” a Lastpass spokesperson said. “Unfortunately not everyone picks a master password that’s immune to brute forcing”.

As well as forcing the password change, Lastpass required the request to come from a known IP or with an email validation for additional security. “We realise this may be an overreaction and we apologise for the disruption this will cause” the spokesperson said “but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later”.

Now that may sound like commercial suicide when you consider that this is a security outfit offering a password vault service admitting that it may have been compromised. I beg to differ: this is a security company taking its responsibilities seriously (although if a breach has taken place, then some difficult questions need to be asked). Disclosing quickly and honestly maintains the trust relationship with its customers.

Are you listening Sony?

I have to admit to being a little surprised at this notion, and the press release headline which screamed “slow customer response times costing smaller enterprises crucial new business”, as I was under the impression that pretty much everyone had heard of this thing called the internet by now.

I wouldn’t argue with the hypothesis that responding quickly to customer demand is both key to business success and a challenge facing many at the smaller end of the SME scale. Nor would I take offence at the suggestion that social media uptake and a 24-hour society culture is driving customers to expect instant commercial gratification. Indeed, much of the research is a fascinating confirmation of the changing face of the small business today:

* 78% of those businesses asked said that providing a fast response to customer queries was their biggest source of competitive advantage

* 33% blamed an inability to respond quickly enough to customer enquiries for the loss of contracts

* 79% of SME managers expect employees to respond to customer phone calls immediately during office hours, regardless of their location, and 32% expect them to respond immediately to enquiries made via social media

All of that pretty much squares up with what I would have thought people would say, although the social media response demand was a little surprising, but it does reflect the growing importance of Twitter and Facebook as a potential sales channel.

My problem comes with the fact that the research was carried out for Vodafone and appears to be a sales pitch for mobile phones and managed communications. Tom Craig, Vodafone’s business services director, argued that small businesses are recognising that managed communications that instantly route unanswered incoming calls to mobiles are increasingly seen as vital to small business, yet 40% of those asked said there was a lack of budget to fund the technology. And now we get to the real pitch, a subscription-based managed communications model sending those calls to mobiles being offered by Vodafone.

Which is great, but I repeat: hasn’t everyone in business discovered the internet yet? Being able to talk to a human being is one factor in closing deals, but getting an instant response by email, or talking to an online sales advisor using an instant chat system, or maybe just having a decent e-commerce system in place which can fulfil orders 24/7 and provide access to those enquiry channels, is the real answer to the problem of competitive advantage in 2011 and beyond.

In an age of instant gratification for all things, including business deals, the internet and not mobile phones is the killer app.

More and more businesses are dreading that Tuesday every month when Microsoft release a bunch of security patches and updates.

Patch Tuesday should be a thing to look forward to, of course, seeing as it’s when the latest round of application and operating system vulnerabilities get a nice big sticking plaster to protect your systems and data from exploit. The trouble is that when, as with the latest Patch Tuesday, there are no fewer than 17 security bulletins (nine rated as critical) covering a whopping 64 vulnerabilities –  many of the patches requiring a full system restart – it all starts to become something of an IT management nightmare. Especially for the smaller business where there isn’t an IT manager or even an IT department to handle such things.

The vast majority of smaller businesses that I talk to are not IT savvy, they get by and rely upon the systems and software they are supplied to do their job. They don’t switch browser to Firefox or Chrome, they run Internet Explorer because that’s what everyone else uses and it came with the box. What’s more, they often run an older version of Internet Explorer as they apply the “if it ain’t broke” rule. Wrongly in the case of older versions of IE, of course, which are broken from a security perspective.

The latest Patch Tuesday updates included one (security bulletin MS11-018, which was rated critical and covered IE6, IE7 and IE8) which protects them from a vulnerability that can compromise the browser as soon as it visits a malicious site. It’s vital if a business is using one of those versions of Internet Explorer that they apply the patch, yet it’s bundled in with all the others and likely to be lost in an all or nothing approach to updating.

Surely it would be better if Microsoft rolled out patches individually, on demand, as they became available, rather than storing them up and releasing them in a flood like this?

Many small businesses opt for the nothing approach, at least in the short term, as installing and rebooting eats into either work or leisure time. Many will have been advised to turn off automatic updating to prevent such interruptions to their business processes and will simply ignore the warnings about updates altogether.

For consumers these mammoth updates are a nuisance, but nothing more. If they want to minimise disruption they can simply schedule the update to take place while they sleep. Small businesses are not in such a position, they have to supervise the process to ensure there are no hiccups. Those businesses without specialist IT support are in a Catch-22 situation: they have to understand the vulnerabilities as they apply to their particular needs and prioritise the patching process accordingly, but they don’t so they can’t. Then there’s the problem of compatibility testing, especially if the business uses custom applications that could be impacted by the patching.

Security patching of critical vulnerabilities is vital to safeguard your business data, but unplanned patching can interrupt business processes and potentially break custom applications. Surely it would be better if Microsoft rolled out patches individually, on demand, as they became available, rather than storing them up and releasing them in a flood like this? Surely it would be better if the reasons for patching and implications of not patching were explained better to the end users rather than pointing to the somewhat jargonised security bulletins?

So, if you are a small business, how do you deal with Patch Tuesday?

You’ve already doubtless noticed that email marketing outfit Epsilon had fallen victim to a data security breach. US-based Epsilon, a third-party marketing company that sends out emails to customer addresses supplied by well known businesses all over the world, admitted on 30 March that its email database had been hacked.

While only customer names and email addresses were compromised, and then only concerning around 2% (or 50 companies in total) of Epsilon’s client base, the ‘your email address has been compromised’ warnings have been rolling in thick and fast: Hilton Worldwide, Mothercare, Capital One, Barclaycard and Marks and Spencer to name but a few.

But while the security breach itself is serious, it’s tempting to think that the fallout won’t be. After all, what can someone do with your email address and name? The truth is that I expect the Epsilon email attacks to start coming thick and fast, just as soon as lists of names and email addresses tied to specific retailers and businesses have been compiled and sold on the underground criminal market.

Think about it:  getting a generic spam or scam email that isn’t highly targeted (warning you about a bank security issue with a bank you’re not a customer of, for example) is supremely easy to spot and dismiss. When an email arrives that not only names you personally, but connects you with a company that you do business with, then the plausibility factor increases incredibly and your defences immediately lower.

Trusteer set up an experiment to prove that a carefully crafted attack will fool the majority of educated users, and the results are rather shocking

Spam will probably be the first point of attack, but expect to see an increase in phishing emails and malicious links. And it’s the latter that is worrying me the most, especially given the results of an investigation by security outfit Trusteer into just how easily people will click ‘believable’ links in socially engineered emails, despite the best efforts of those in the security business to educate them otherwise.

Trusteer set up an experiment to prove that a carefully crafted attack will fool the majority of educated users, and the results are rather shocking. Using a LinkedIn account set up for the experiment, 100 users were chosen who were known to the company (friends, family, associates) and known to be security savvy. These users were even warned, and asked for permission, to take part in a security experiment but not given any information about what, why or when. You would expect them to have been extra vigilant under such circumstances. An email was sent stating that one of their connections has a new job, complete with a big button for viewing the new job title that actually led to a different website.

The results? No fewer than 41 subjects reached the ‘fake’ landing page within a day, 52 within 48 hours, and 68 people clicked on the potentially dodgy link within a week. Of the 32 who didn’t click, 16 said they hadn’t got the email, seven didn’t read LinkedIn updates anyway and the remaining nine weren’t interested enough in the person concerned to click.

So, if you’ve got one of those warning emails from a company you’ve done business with, be extra vigilant over the coming weeks with regards to your email.

Am I the only person who finished reading the Security Development Lifecycle Progress Report and immediately conjured up an image of Microsoft developers throwing stones in a big glass house?

The Microsoft SDL is, obviously, a good thing if it helps to reduce vulnerabilities in code. But I got the feeling that Microsoft was saying that Windows and Internet Explorer are such popular targets for attack because developers are not applying all the SDL techniques and technologies available to them.

This is where the glass house theory comes in. Microsoft claims that Vista was the first Windows OS to benefit from the SDL in practise and as a result, after the first year, had 45% fewer vulnerabilities than XP. Great, but who uses Vista now? And more to the point, look how many people still use XP. Vista really isn’t best example to hold up and wave about, is it?

Vista really isn’t best example to hold up and wave about, is it?

And then there’s Internet Explorer, hardly a piece of software with a great track record of being secure and vulnerability free. Using the SDL may help make it more secure, but Microsoft really does need to get its own house in order before preaching to the unconverted.

ASLR versus DEP

But what, exactly, is Microsoft preaching anyway? Microsoft appears to be saying that developers are not making good enough use of Address Space Layout Randomisation (ASLR), which can help prevent exploits that need to use things such as DLL files in order to be successful.

The Microsoft SDL Progress Report shows that of the popular applications it looked at, only 34% had enabled ASLR, with the same sort of percentages for browser plug-ins. So why is this? No doubt ignorance plays its part, with some developers not fully appreciating the security benefits of implementing ASLR. However, I also wonder if cross-platform development complexities and costs also come into the equation.

The report highlighted another technique that is used to prevent arbitrary code execution, Data Execution Prevention (DEP). This was fully enabled in 71% of the applications Microsoft looked at. So why implement DEP and not ASLR? It’s that XP factor again. The older OS doesn’t use ASLR (as far as I am aware) whereas DEP works just fine and dandy.

House in order

Microsoft states on the MSDN Security Development Lifecycle blog: ”we believe our SDL tools and processes add value and should be shared broadly with the security ecosystem – a collective effort is needed to meet the threat to computer users worldwide”. I cannot argue with that.

However, getting one’s own house in order has to be part of that process across the board, and giving the impression of blaming other developers for Microsoft shortcomings is not really helping matters.

The internet has been running out of space for the best part of ten years now, address space that is. In a nutshell, the 4,294,967,296 addresses provided by IPv4 are pretty much exhausted and so we must start embracing IPv6 which can provide a few more.

How many, exactly?

How does 340,282,366,920,938,000,000,000,000,000,000,000,000 addresses sound to you?

Now I’m not going to get stuck into the whole ‘how to migrate to IPv6 thing’ here, nor even the debate about how long we really have left to make that migration (although Steve Cassidy will be examining this in issue 200 of PC Pro). Nope, I’m more interested in what the potential impact upon internet security will be when it’s a done deal and everything is connected to the internet.

In other words, does giving everything an IP address open the door for your fridge to start spamming you? Or perhaps more appropriately, given the type of crap contained in most of the spam I see, your toilet for that matter? Seriously though, what does IPv6 mean for security?

Much of the FUD coming is coming from those with something to sell, be it product or consultancy

Given enough IP addressees, the argument goes, the spammers can cycle through such a large and diverse range that spam blacklists become unsustainable, as by the time a domain has been verified as a spam source and added to the blacklist, the spammers behind it have already moved it to another IP address.

This, it seems to me, is less an IPv6 problem and surely more a ‘rely on blacklisting to defeat spam’ problem. Other content-focussed techniques, such as Bayesian filtering, don’t care about where the source is but only what the output consists of.

So are there actually any hidden dangers in the move to an IPv6 address space system at all, or is it all just the usual round of FUD? As some organisations have already implemented IPv6 without any great collapse of security systems, I am inclined to think it is just that. Much of the FUD is coming from those with something to sell, be it product or consultancy.

Potential problems

There will be problems, of course. I’ve heard reports that the Duplicate Address Detection (DAD) system, which provides the means for a device to ask others on a subnet if they are using a particular address, could be used for denial of service (DoS) attacks without too much effort. But then again, those in the know have told me that it doesn’t take a whole big bunch of effort to detect this happening and block it.

Am I scared that IPv6 will cause the sky to fall in? Nope, and neither should you be. IPv6 itself is not intrinsically any less secure than IPv4, as long as it is implemented properly — which means doing your homework during any transition period between the two and ensuring you are not creating holes through which your own particular little piece of sky could fall. But that’s not different to any transition from one network technology to another…

I do, of course, appreciate that neither the original iPad nor the iPad 2 are pushed primarily as a business tool, but maintain that it’s a valid question to explore nonetheless.

The trouble is, I’m hard pressed to come up with too many small business scenarios where media consumption, rather than creation, is a core computing requirement. As a complementary device to an existing netbook or laptop it comes into its own but, seriously, how many small businesses have the kind of budget which will stretch to such a fanciful and, frankly, superfluous purchase in the current economic environment?

Sure, you see suits with iPads all the time when travelling first class on the train, so perhaps there is a real business demand? Not that I’ve noticed,  as whenever I look to see what those suits are doing with their iPads the answer is much the same: playing a game, checking schedules, browsing the web and maybe reading (although rarely writing or replying to) their email. I can’t ever recall seeing someone working on a document or spreadsheet, although I have seen one person with what looked like a PowerPoint presentation running.

My advice to the small business contemplating an iPad 2 purchase would be to look instead at buying the original iPad with a £100 discount from Apple before the iPad 2 goes on sale

Nope, the business types I see are using the iPad like a giant smartphone that doesn’t make calls. The fact that they all have a real smartphone, which does make calls, sitting on the table next to the iPad makes this all the more fantastical. Of course, you can buy one of those iPad cases with a keyboard built in to add business usability, and the ones that I have tried are actually quite good. But it’s another expense that the average small business can ill afford, and if you are looking for a machine that couples a screen with a keyboard then why opt for an iPad in the first place over a netbook or baby laptop? Remember, this is all within the remit of small business usage before you start bombarding me with consumer reasoning.

So what does the iPad 2 itself bring to the small business table that may change the way I look at the device in this context? Well I will admit that FaceTime could be a useful small business tool, bringing usable if very basic videoconferencing into the mix, which was totally missing from the original iPad. But as a unique small business selling point it is something of a hard sell. Most small businesses that I visit are quite happily using Skype on their webcam equipped netbooks and laptops to meet mobile videoconferencing needs, and those with iPhone 4 devices already have FaceTime anyway.

Enhanced performance courtesy of the A5 chip apart, the iPad 2 only really brings HD mirroring to the business checklist. This, courtesy of a Digital AV adapter at further cost, will at least enable portable presentations to be made to a HDTV screen or projector.

Apple didn’t go overboard on the business angle at the launch of the iPad 2 for good reason: it is not a market that is being aggressively targeted because it isn’t primarily a business device. Simple as. Those niche businesses which did have a use for the iPad will, budgets allowing, already have invested in the technology and will find precious little reason to upgrade to iPad 2, as most of the advances were in design form rather than business function. Where’s the USB socket for starters? Some have said that what Apple has launched is really the iPad 1.5 and I’m minded to agree. In fact, my advice to the small business contemplating an iPad 2 purchase would be to look instead at buying the original iPad with a £100 discount from Apple before the iPad 2 goes on sale.

This might not be as stupid an idea as it first sounds, especially when you consider that it can be updated to iOS 4.3 which brings many of the benefits of the iPad 2 at no extra cost. OK, you won’t get FaceTime as an OS upgrade cannot magically install cameras front and back, but iOS 4.3 does provide a welcome speed boost to Safari web browsing with the Nitro JavaScript engine, which is now built into the WebKit core rendering technology.

It’s not just what I call a ‘press release speed increase’ either: this one actually makes things faster in the real world by using just-in-time compilation to halve JavaScript execution times. Then there’s the Personal Hotspot feature. Using this, your iPad can share an iPhone 4 data connection, assuming your carrier supports such a tethering plan and you can afford the additional cost. If it does, and you can, then you will be able to set up a personal hotspot permitting any five devices from three Wi-Fi, three Bluetooth and one USB.

Whether you are thinking about the iPad or iPad 2 as a small business purchase, the real before you buy test should be made at the App Store. The proof of the iPad pudding really is in the consumption of apps. Apple is proud of the 10 billion downloaded apps stats, and rising quickly all the time, but how many of those are relevant to your business niche? If there are enough apps that address a real need in your business then maybe, just maybe, it deserves consideration when you start to look at replacing that laptop or netbook.

But it’s a big if…

Much has been written about the security of data in the cloud, and even more about the insecurity of the same. Until now, things have been somewhat quieter when it comes to how we access cloud-based data on the move. That, I suspect, is about to change.

Plenty of effort has been poured into securing online data stores, and plenty is made by the providers of those cloud services in making sure potential customers know about it. Which is why the bad guys are understandably looking for the soft targets, and at the moment that would appear to be Android apps.

I’ve said it before, and I will say it again: the smaller your business, the bigger the benefits of cloud computing. That rings especially true at the ‘free’ end of the cloud scale where the attraction of services such as those provided by Google can offer real bottom-line savings for hard pressed small business concerns. Security within the free or low-cost cloud isn’t somehow automatically weaker than that found at the expensive end of the cloud provision market either.

You can be sure that Google has invested heavily in securing the data at rest within those cloud bases, incorporating all the multi-layered protocols and synchronous replication processes you might expect. But perhaps it needs to invest more at the other end, the smartphone to be precise. What you need to ask yourself is whether Android could be the weak link in the cloud security chain?

Dan Wallach, an associate professor in the Department of Computer Science at Rice University in Houston, got the ball rolling when he revealed that his undergraduate security class had decided to listen in on the traffic to and from his Android smartphone, a Motorola Droid X running Android 2.2.1, with his permission of course.

With Android overtaking Apple iOS as the most popular mobile operating system, security of Android apps is going to become something we hear more and more about

The class used Wireshark and Mallory to sniff the data and quickly discovered that Google wasn’t encrypting traffic heading for Google Calendar (using the default Google Calendar app that came with the phone) which is a pretty bad start if you were expecting this kind of information to be kept secure and confidential in transit. Google is, I understand, planning on introducing encrypted traffic to Google Calendar on Android as part of an unspecified maintenance release in the future.

What really grabbed my attention, however, was while the professor had a Facebook account configured to specify fully encrypted traffic, the Android Facebook app ignored that and sent everything in the clear. Especially as Wallach notes “Facebook isn’t doing anything like OAuth signatures, so it may be possible to inject bogus posts as well”. Oh, and one of the requests that the class saw heading to the Facebook server was carrying a SQL statement, which doesn’t bode well.

Identity management specialist Phil Lieberman argues that the sending of data (other than passwords) in the clear is “absolutely typical of open-source software” and insists that there is little or no incentive for the software developer to do otherwise unless the destination system absolutely requires it.

Indeed, he goes further to warn that the Dan Wallach revelation is an “early warning shot” when it comes to the use of cloud-computing platforms and Android. “The stark reality is that computer science graduates rarely, if ever, receive any training on how to write secure applications,” Lieberman claimed. “So it should come as no surprise that many applications created by these same people are insecure”.

Certainly, with Android overtaking Apple iOS as the most popular mobile operating system, security of Android apps is going to become something we hear more and more about. Unlike Apple, which has had relatively little problem with malicious apps finding their way onto iPhones, courtesy of what some argue are Draconian controls over what reaches the App Store, the Android Market accepts anything that is uploaded and there are no such pre-publication clearance controls to filter out the insecure and downright dangerous.

So perhaps it should come as no surprise that just last week we have seen the discovery of some 50 or so Android apps infected with the ‘DroidDream’ rootkit, which are capable of intercepting and diverting personal data. Of course, Google acts quickly (within minutes in this case) to remove such software as soon as it can when such a discovery is made, but that didn’t prevent people downloading them and being infected in the first place. The DroidDream rootkit also has the capability to download other malicious software which it can then install, so nobody really knows how many handsets are already infect or what they are infected with.

More alarmingly, those same infected handsets, or even the same apps, could be used to access business data in the cloud. Whereas much focus has been put on ensuring company data is properly encrypted when stored on mobile devices, that focus has to now widen to include the apps being used to access the data in the first place.

At the very least, security policy needs to encompass the usage of authorised apps only on any device used to access business data. Better still, ensure that processes are in place that control what data and services a mobile device can, and cannot, access. Either that, or as Phil Lieberman starkly says “use your smartphone to log into cloud and secure systems at your peril”.