For example, developers will often turn off TLS certificate validation in their testing environments because they don't have a valid certificate installed on their test servers, but then forget to turn it back on when the product moves into production.
"There was a paper a couple of years back that found a huge percentage of Android applications were making mistakes like this, due to a combination of interface confusion and testing mistakes," Green said.
The failure to properly validate TLS certificates was commonly observed by Veracode during their application security tests, according to Wysopal, and the CERT Coordination Center at Carnegie Mellon University has found that a lot of Android applications have the same problem.
Over the past few years there's been a strong push to build encryption both into consumer applications, in response to revelations of mass Internet surveillance by intelligence agencies, and into enterprise software, in response to the increasing number of data breaches. But while everyone, from the general public to the government, seems to agree that encryption is important and we should have more of it, little attention is being paid to how it's actually implemented into products.
If the situation doesn't improve, we risk ending up with a false sense of security. We'll have encryption built into everything, but it will be broken and our sensitive data will still be vulnerable to spies and would-be thieves.
Sign up for MIS Asia eNewsletters.