Popular Android apps leaking passwords due to poor SSL
Posted on 22 October 2012.
A group of researchers from two German universities claim that eight percent of the 13,500 popular, free-of-charge, legitimate Android Android apps they downloaded from Google Play and tested have poorly implemented SSL/TLS protocols that can allow attackers to collect information that the apps send and receive.

With the help of MalloDroid - a specially devised app that uses static code analysis to detect apps vulnerable to MITM attacks because of inadequately or incorrectly implemented encryption protocols - they managed to single out 1,074 vulnerable apps.

Of this batch they picked a hundred to test further by mounting manual Man-In-The-Middle attacks, and they managed to capture "credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts," as well as manipulate "virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself," and "remotely inject and execute code in an app created by a vulnerable app-building framework."

They didn't mention the names of these 41 apps, but say that they have collectively been downloaded by at least 39.5 million users and possibly up to 185 millions (and that's only on Google Play).

At the same time, the researchers effected a survey that aimed at finding out whether Android users know how to recognize the security state of a browser session correctly, and whether they know how a certificate warning or other security indicators look like and what they it mean.

Unfortunately, over 50 percent of the polled users weren't able to recognize a secure (or insecure) session when faced with one, and over 55 percent of them had never seen a certificate warning and were rather dismissive of the risk it warned them against.

The researchers admit that their analysis has a number of limitations, and that they obviously were biased towards testing the most popular apps.

Nevertheless, their findings should be worrying, as among the vulnerable apps are a generic online banking app; an extremely popular instant messaging app that, thanks to a broken SSL channel, leaks login credentials for Windows Live account and, consequently, can give access to the users' email, messages, or data stored in Microsoft’s SkyDrive cloud storage; a popular browser and 20 other apps that trust even arbitrary certificates; an anti-virus app that updated its virus signatures file via a broken SSL connection; and many others.

The researchers will be offering the MalloDroid tool for download as a Web app, so that users can scan the downloaded apps before installing them.

For other details about the research and proposed solutions to the problem of correct SSL / TLS implementation, you can download the paper.






Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //