Raising My Game on Security

It is fairly obvious, given the revelations of recent days and weeks, that the security we developers thought we had built is not as strong as it should be.

Whether you find the behavior of the NSA and GCHQ to be exemplary or execrable, if they can break through this security, others can too. The GCHQ does not have a monopoly on brains, and the NSA has amply demonstrated that others can get at the NSA’s own data. While you may agree with the NSA’s and GCHQ’s professed aims, it is unlikely that you would agree with the aims of everyone potentially capable of breaking security, whether they be state-sponsored agencies, organized crime, rather disorganized crime (e.g., you left your phone in the back of a taxi), etc.

While there will be shouts and cries in Whitehall and Washington for legislative and judicial controls over global surveillance, it is really up to us as engineers to “raise our game” and better secure the endpoints, given that the security of the pipes and centralized services is suspect.

And, right now, Android may well be the most popular endpoint OS on the planet.

So, here is how I will be raising my game:

  • Continuing to expand coverage of security measures in my book, such as validating app signatures, blending strong SSL techniques with HTTP stacks like Retrofit, etc.

  • Continuing to add code samples on the coverage that is already there, such as SSL certificate pinning and memorization, encrypting GCM messages, etc.

  • In 2014, revising my book tutorials — and other samples as is practical — to use SSL and encrypted databases

  • Building more open source libraries with an eye towards security (anyone want a FileProvider workalike that supports serving encrypted files?)

  • Continuing to present on defending user data, at conferences and elsewhere

  • Donating to projects like Trsst, as even if the Web site winds up failing in the marketplace of services, the open source secure-and-federated architecture may succeed in the marketplace of ideas

  • Even finally getting SSL going on the Warescription site (not that there’s much to secure at present)

And I have some other “irons in the fire” for 2014 and beyond.

How are you going to raise your game?


Stuck on an Android problem? Subscribers have access to live office hours chats with Mark Murphy, to help you work through your challenges!