Have you never done any banking on your smartphone because you had security concerns? Then you, my friend, might have made the right decision. A new study conducted by researchers from two German universities reveals that millions of Android users are vulnerable to data theft due to many apps being poorly coded.
You probably know what SSL and TLS are — protocols for securely transmitting data over the internet (think HTTPS). While generally secure, SSL and TLS do have their vulnerabilities if they are improperly implemented. The German researchers took a look at thousands of Android apps to see if the apps properly implemented SSL and TLS. The researchers found 41 extremely popular apps (downloaded between 39.5 million and 185 million times, according to statistics provided by Google Play) that leak confidential user data or otherwise affect user security.
The researchers started by grabbing 13,500 free apps from Google Play. (Presumably the 13,500 most popular apps, but I don’t know that for sure). Then the scientists conducted “static analysis” tests on the apps to determine which apps, if any, have vulnerable SSL implementations, such as SSL that is subject to “man-in-the-middle” (MITM) exploits (which allow hackers to sniff data sent over secure protocols). The analysis resulted in 1,074 apps that “are potentially vulnerable to MITM attacks.”
The 1,074 was further broken down and 100 apps were selected for manual analysis. From of this manual analysis the above-mentioned 41 apps were discovered to be vulnerable to various different SSL attacking techniques, including but not limited to accepting fake SSL certificates, accepting invalid SSL certificates, and allowing connection to domains not authorized by SSL certificates. All these vulnerabilities lead to the possibility of user data being stolen while using the vulnerable apps, despite the use of SSL connections — data such as usernames, passwords, e-mail addresses, and more.
While the researchers did not specify the names of the apps they found to be vulnerable, they did provide examples: an anti-virus app allowed the use of invalid certificates which allowed the researchers to send the app a fake, malicious database signature; an app (with 1 million to 5 millon downloads) leaked login details when connecting to cloud-based services; an app (with up to 1 million downloads) leaked Facebook and Google login information when connecting to a website; and, a “very popular cross-platform messaging service” app with 10 million to 50 million downloads leaked telephone numbers from user address books.
Since the researchers did not reveal the name of the apps that have the vulnerabilities, it is not possible for me to tell you exactly what apps you should stay clear of. However, as ArsTechnica points out, the researchers described most of the apps as “generic” which hints at the fact that the poorly coded apps are third-party apps and not official apps provided by the respective services. So the best way currently to protect yourself from this is to stick to official apps as much as possible.
It should be noted the above mentioned vulnerabilities are not due to the Android platform itself but rather due to developers poorly coding their apps. However, the researchers mention that Google can take steps to protect users from these poorly coded apps — such as performing static analysis, the same thing that the researchers performed, on apps when users install apps and/or implement “certificate pinning” which makes it harder to use fake certificates.
Another thing to keep in mind is this issue may be present on other platforms too, such as iOS, because the issue is related to how third-party developers code apps — the issue isn’t platform specific. However, the researchers did not conduct a similar study on iOS apps to discover if those apps have similar vulnerabilities. Why not? Who knows, but ArsTechnica speculates it is probably because Android’s “openness” allows for better static analysis versus Apple’s walled garden which makes it harder.
[via ArsTechnica, Research Paper]