Under Armour Mobile App Breach: Lessons to LearnSecurity Expert Joan Pepin Offers Insights for App Developers
The recent data breach impacting 150 million users of Under Armour's MyFitnessPal smartphone application and website offers important lessons for mobile app developers, says security expert Joan Pepin.
The incident is a reminder of how massive the potential victim tally can be when a popular consumer application is breached, she says in an interview with Information Security Media Group.
"That is a huge user base that you're able to reach through [a] mobile application. And so the responsibility of the developer is great to make sure they are hashing the passwords and email addresses to provide safe harbor if there is a security incident," she says.
"We talk a lot in security about defense in depth. ... Obviously Under Armour had some security measures in place, but those were breached. But then they had a second layer of security - the hashing. That's a good practice by Under Armour, and those are the types of practices that other mobile app developers should quickly adopt," she says.
Under Armour says it became aware on March 25 that during February, an unauthorized party acquired data associated with the company's MyFitnessPal user accounts. The company says a majority of the passwords exposed were protected with the hashing algorithm Bcrypt. User names and email addresses, however, were secured using the SHA-1 hashing function, which Pepin says is easier to crack than Bcrypt.
In the interview (see audio link below photo), Pepin also discusses:
- Why MyFitnessPal application users are potential victims for phishing scams;
- Common challenges in breach detection;
- Other lessons emerging from the Under Armour breach.
Pepin is CISO of security vendor Auth0, where she is responsible for the security and compliance of the company's platform, products and corporate environment. She has 20 years of security experience in healthcare, manufacturing, defense, ISPs and MSSPs. Pepin's previous positions include serving as business information security officer at Nike and CISO of security vendor Sumo Logic.