RIIS On Android Security (And Why Consumers Should Be Worried)
Nolan Godfrey, founder and president of a Southfield, MI-based IT company called RIIS, has the soul of a writer. An early expert on Java security, he eventually fell in love with the written word and only reluctantly came back to computers after realizing he wrote “too slowly to make any money.” But he also has the soul of an engineer. “Every place where I’ve worked, I’ve tried to fix things,” he says. “That’s the engineer in me.”
He’s found a way to combine his talents in the recent publication of a new book on Android security that builds on mobile development work the company has been doing from their headquarters in Southeast Michigan. In late September, RIIS released a first-of-its-kind security tool called HoseDex2Jar. HoseDex2Jar prevents would-be hackers from using the Dex2Jar tool, which converts Android APKs back into Java .jar files, as a means to decompile Android apps and get access to sensitive data. “A few years ago, it dawned on me that we have a much bigger security problem on the Android side,” Nolan says. “I really don’t understand why nobody is paying attention; nobody is talking about basic protection.”
The issue, Nolan explains, is that Android apps can be decompiled to recover source code, which is often tied to back-end databases, leaving the door open for hackers to obtain things like credit card information or Social Security numbers. Adding to the threat is the fact that the actual code for the apps is downloaded onto the phone, where it sits fully open without the protection of firewalls or servers.
Nolan praises Google for its efforts to get the word out about the free security tools it offers, but he says those efforts are being ignored. “We’ve contacted a bunch of people to show them how easy it is to protect their code. But people ignore it until a media storm hits. People can even get very defensive—they think we’re attacking them or trying to sell them something—but they need to be open about security issues on the Android platform and fix them.”
Though it’s clear Nolan spends a fair amount of time thinking about this stuff, it’s far from the only thing RIIS does. Formed in 1998, RIIS now has 48 employees and is looking to hire a few more. (Nolan says he doesn’t like chaos, which is why he’s chosen to grow his company slowly.) Over the past three years, the company has gotten more heavily into mobile development—RIIS just released an app called Shop Auto Week that allows users to find cars for sale—but it also does onsite projects for big entities like DTE, Blue Cross Blue Shield, and even police departments.
“We go against the grain,” he says. “We have a lot of really dynamic consultants who are also able to code. HoseDex2Jar is free, but we’re hoping to get more mobile development clients.”