Researchers find 1,000 insecure Android apps; SSL Vulnerabilities Expose Data

[dgstorm]

According to a new study by German researchers from Leibniz University in Hannover and Philipps University of Marburg, a large swath of Android apps apparently do not implement their SSL correctly. The researchers sampled 13,000 apps and found that 1,000 of them exposed users' personal data. Here's a quote with a few more details,

In this paper (PDF), the researchers from Leibniz University in Hannover and Philipps University of Marburg found that 17 percent of the SSL-using apps in their sample suffered from implementations that potentially made them vulnerable to man-in-the-middle MITM attacks.


They state that they were “able to capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime”.

In addition, since virus software also uses SSL, “We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”

The researchers were able to determine that it wasn't really a flaw in Android, so much as it was sloppy or lazy implementation of the SSL. This seems rather disturbing. What do you guys think?

Thanks for the tip, furbearingmammal!

Source: Android apps get SSL wrong, expose personal data ? The Register

[CR6]

Oh that's nice! (sarcasm)

tap'n

[RyanJ]

These issues make me wish I had stayed with apple...

[CR6]

You're sorely misinformed if you think this can't happen on an iPhone. Security risks , collecting of personal data, malware, etc can and do happen on iPhones as well. A simple Google search will yield plenty of articles/instances if you're so inclined to look. Here's just one of many interesting articles that brings to light the false sense of security that many Apple users blindly trust in by believing they're immune from issues such as this. http://anti-virus-rants.blogspot.com...-free.html?m=1

tap'n

[RyanJ]

Wow I guess your right.... and I was one of the blind ones that thought that!

[Jeffrey]

These issues make me wish I had stayed with apple...

You can always go back.....

[Jeffrey]

This is obviously a Developer issue. I think it's impossible for Google to check the code of every app created

[RyanJ]

Go back?!?! Not a chance! I love my freedom!

[furbearingmammal]

The vulnerabilities were mostly off use only for man in the middle attacks, which are fairly difficult to implement without detection on a wide scale.

Still, troubling that the devs aren't as protective as th they should be.

Sent from my SCH-I535