This is What’s Wrong With Security Reporting

Yahoo news picked up this story and it trended to the top (many others also carried it with the same sensationalization . While the meat of the story may have some good information (although not new information), the headline and conclusions are meant to draw clicks.

Headline:

Your Gmail App Is Shockingly Easy to Hack

In the first paragraph:

..allows them access to mobile Gmail accounts with a 92 percent success rate.

What’s wrong with this? Well, for one the “hack” requires downloading a malicious app to your Android phone. And that 92% success rate? Only among those that download the malicious app.

Yes, it would be nice if shared memory could not me accessed. But that shared memory access also brings benefits (OK, I assume the benefits part. Don’t ask me to list them).

They didn’t test other mobile OS’s but say the hack should work on them too. I’m no developer but I thought on iOS shared memory wasn’t, well, shared by apps. Which resulted in many of the complaints about apps not working together. I’ve also read comments that apps don’t access shared memory on Windows Phone. So this calls into question that assumption by the researchers.

In any event it works on other mobile OS’s, even for Android the headline should be “Installing malicious app will cause security issue!” But I guess that falls into the non-clickworthy “duh” category.