The recent data breach impacting 150 million users of Under Armour’s MyFitnessPal smartphone application and website offers important lessons for mobile app developers, says security expert Joan Pepin.
The incident is a reminder of how massive the potential victim tally can be when a popular consumer application is breached, she says in an interview with Information Security Media Group.
“That is a huge user base that you’re able to reach through [a] mobile application. And so the responsibility of the developer is great to make sure they are hashing the passwords and email addresses to provide safe harbor if there is a security incident,” she says.
“We talk a lot in security about defense in depth. … Obviously Under Armour had some security measures in place, but those were breached. But then they had a second layer of security – the hashing. That’s a good practice by Under Armour, and those are the types of practices that other mobile app developers should quickly adopt,” she says.
Under Armour says it became aware on March 25 that during February, an unauthorized party acquired data associated with the company’s MyFitnessPal user accounts. The company says a majority of the passwords exposed were protected with the hashing algorithm Bcrypt. User names and email addresses, however, were secured using the SHA-1 hashing function, which Pepin says is easier to crack than Bcrypt.
In the interview (see audio link below photo), Pepin also discusses:
Why MyFitnessPal application users are potential victims for phishing scams;
Common challenges in breach detection;
Other lessons emerging from the Under Armour breach.
Pepin is CISO of security vendor Auth0, where she is responsible for the security and compliance of the company’s platform, products and corporate environment. She has 20 years of security experience in healthcare, manufacturing, defense, ISPs and MSSPs. Pepin’s previous positions include serving as business information security officer at Nike and CISO of security vendor Sumo Logic.
You might also be interested in …
Securing the News
Research Finds Only 45% Compliance with NIST CSF Controls
Mitigating Risks From Open Source and Third-Party Code
Art Coviello on Fraud and the 2018 State of Security