Google has launched a security tool called 'nogotofail' to help Android, iOS, Linux, Windows, OS X and Chrome developers check that applications are secure against known threats.
Android security engineer Chad Brubaker announced the nogotofail tool in blog post, promising that it will help developers quickly check and spot mistakes in their applications' code that could leave customers open to cyber attacks.
"The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations," read the post.
"Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the internet.
"There's an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server or proxy."
The tool is an open source project which Google hopes will be supported by third-party developers in the near future. Brubaker said the tool is part of Google's ongoing battle to help developers improve their products' security.
"Google is committed to increasing the use of TLS/SSL in all applications and services. But 'HTTPS everywhere' is not enough; it also needs to be used correctly," read the post.
"Most platforms and devices have secure defaults, but some applications and libraries override the defaults for the worse, and in some instances we've seen platforms make mistakes as well.
"As applications get more complex, connect to more services, and use more third-party libraries, it becomes easier to introduce these types of mistakes."
The tool has received praise from the security industry. F-Secure security analyst Sean Sullivan told V3 that nogotofail will prove useful to many application developers.
"I think Chad Brubaker makes a very valid point - HTTPS isn't enough if it's weakly implemented. [Weak implementation] may even provide a harmful false sense of security. Good on Google for making this open source," he said.
Nogotofail is one of many measures taken by Google to help improve cyber security. The firm increased the maximum payment in its Chrome bug bounty programme to $15,000 on 1 October.
No comments:
Post a Comment