According to a new study by German researchers from Leibniz University in Hannover and Philipps University of Marburg, a large swath of Android apps apparently do not implement their SSL correctly. The researchers sampled 13,000 apps and found that 1,000 of them exposed users' personal data. Here's a quote with a few more details,
The researchers were able to determine that it wasn't really a flaw in Android, so much as it was sloppy or lazy implementation of the SSL. This seems rather disturbing. What do you guys think?In this paper (PDF), the researchers from Leibniz University in Hannover and Philipps University of Marburg found that 17 percent of the SSL-using apps in their sample suffered from implementations that potentially made them vulnerable to man-in-the-middle MITM attacks.
They state that they were “able to capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime”.
In addition, since virus software also uses SSL, “We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”
Thanks for the tip, furbearingmammal!
Source: Android apps get SSL wrong, expose personal data ? The Register