Android Apps Are Vulnerable to SSL Exploits

Although Google invested a lot of time and money in their Google Play Store—formerly known as Android Market—to bring it to the same level as Apple’s AppStore, it still needs a lot of work.

One of the biggest imperatives for Google is to strengthen the security of its apps. A new German research report, which was released during the annual ACM Computer and Communications Security Conference (CCS) 2012, uncovered big security issues.

Thus far, Apple hasn’t had big problems with apps, aside from those related to the social networking app Path that were fixed at the beginning of this year. On the other side, Google is well known for not having implemented any security measures or manual app approval procedures.

ArsTechnica reports that German researchers found 41 Google Play apps capable of exploiting users’ sensitive data like passwords, bank account information, and so on. The experts were able to bypass secure sockets layer (SSL) and transport layer security (TLS) protocols implemented by the apps when they connected phones running Android’s Ice Cream Sandwich to a local area network that was using various known exploits.

For those who don’t know, SSL and TLS protocols are together responsible for the secure encryption between a website and its users. If these protocols are vulnerable, the connection isn’t secure and sensitive information would be exposed.

The German scientists downloaded 13,500 apps and identified 1,074, almost 8 percent, that contained “SSL-specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.” Further, the scientists picked 100 apps and tried to connect them to a network that used an SSL proxy and thus tested whether the SSL connection is insecure and could be bypassed. In some cases, the apps accepted SSL certificates that weren’t authorised or were even expired, and in other cases were defeated by SSL strip attack.

We don’t have the names of these insecure apps, but we know that they were pretty popular among Android users, given that they were downloaded between 39.5 million and 185 million times. The apps were offered by third-party developers, and not by the websites or services they were connected to.

The researchers, from Germany’s Leibniz University of Hannover and Philipps University of Marburg, said:

We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, e-mail and cloud storage credentials and messages were leaked, access to IP cameras was gained, and control channels for apps and remote servers could be subverted.

Android Future

It appears that Google will start implementing some security features with the next version of Play Store. It was expected to be announced on October 29th during the Google Android event in New York City, but that has been cancelled because of Hurricane Sandy. No word at this writing on when it will be rescheduled.

Android Police learned that Google’s Play Store version 3.9.16 has a built-in malware scanner that allows Google to inspect every app their users download and warn them whether it’s suspicious or not.

It’s only a small step, and bad guys will always try to bypass Google security and leak sensitive information. Therefore I’d advise any Android owner to install a licensed anti-virus solution that can scan and detect potential security issues. Android and all smartphone users should also be aware that connecting to a Wi-Fi network is not always secure and this can lead to leaks of sensitive data.

Related Links