Yesterday I decided to finally take a look at the iOS app E*Trade has been telling me all those wonderful things about. I’d been kinda skeptical about managing my brokerage account from my phone, but sometimes it’s nice to check on stuff. (Like if I actually transfered that money from savings to cover a check.)
Other reviewers can discuss the features (which seem a little clunky and definitely overly complex) but what I wanted to investigate is how the app secures data over the network.
The info about it from the App Store says it’s all wonderful and secure and stuff, because data is stored on the server and never on the device. That’s nice. And the website is all about how secure it is. Spiffy. How, exactly, is data protected as it goes from here to there? No Comment. Not even marketing copy about “Industry-Standard 938,842-bit Encryption.”
When I started up the app, the first thing I got was a giant agreement to read and accept. It was clearly written by lawyers, because there is an entire paragraph where they disclaim any and all liability for network data security. The user is responsible for ensuring the device’s connection to the Internet is reliable and secure, blah blah blah. (I tried to find a copy of this online, but haven’t yet.) As far as I can tell, they can send everything absolutely in the clear and according to the user agreement it would be just fine.
So I did what any self-respecting, security-aware user would do (no, not fire up Wireshark, or at least not yet) I call them up and asked.
The mobile trading support guy said “Of course everything is encrypted.” Ok, good. I recall my comment about SSL answered by “whatever that is.” Ok, he’s not a developer. I mentioned it would be nice if the description of the app actually said something about the encryption standards used, and he agreed.
What I got out of this exercise is that E*Trade almost certainly contracted out the development of their mobile apps (which is normal) and their customer-facing support staff doesn’t know much about the details of data protection for them (which is disconcerting.) I know enough iOS developers that the people who built the app were probably not so stupid as to ignore data security, but there was a breakdown in communication between them and the online documentation. I hope my feedback actually gets to someone who knows what SSL is.
In the meantime, if I absolutely must do something while away from my computer, I’ll turn on the VPN connection and at least keep it from being sniffed over the air. And look for an app update with a full description of how the app protects my data in transit.
feorlen says:
This link is Relevant to Your Interests:
Evan Schuman: Starbucks caught storing mobile passwords in clear text
15 January 2014, 12:41 pm