Popular Android apps leaking passwords due to poor SSL
A group of researchers from two German universities claim that eight percent of the 13,500 popular, free-of-charge, legitimate Android Android apps they downloaded from Google Play and tested have poorly implemented SSL/TLS protocols that can allow attackers to collect information that the apps send and receive.
With the help of MalloDroid – a specially devised app that uses static code analysis to detect apps vulnerable to MITM attacks because of inadequately or incorrectly implemented encryption protocols – they managed to single out 1,074 vulnerable apps.
Of this batch they picked a hundred to test further by mounting manual Man-In-The-Middle attacks, and they managed to capture “credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts,” as well as manipulate “virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself,” and “remotely inject and execute code in an app created by a vulnerable app-building framework.”
They didn’t mention the names of these 41 apps, but say that they have collectively been downloaded by at least 39.5 million users and possibly up to 185 millions (and that’s only on Google Play).
At the same time, the researchers effected a survey that aimed at finding out whether Android users know how to recognize the security state of a browser session correctly, and whether they know how a certificate warning or other security indicators look like and what they it mean.
Unfortunately, over 50 percent of the polled users weren’t able to recognize a secure (or insecure) session when faced with one, and over 55 percent of them had never seen a certificate warning and were rather dismissive of the risk it warned them against.
The researchers admit that their analysis has a number of limitations, and that they obviously were biased towards testing the most popular apps.
Nevertheless, their findings should be worrying, as among the vulnerable apps are a generic online banking app; an extremely popular instant messaging app that, thanks to a broken SSL channel, leaks login credentials for Windows Live account and, consequently, can give access to the users’ email, messages, or data stored in Microsoft’s SkyDrive cloud storage; a popular browser and 20 other apps that trust even arbitrary certificates; an anti-virus app that updated its virus signatures file via a broken SSL connection; and many others.
The researchers will be offering the MalloDroid tool for download as a Web app, so that users can scan the downloaded apps before installing them.
For other details about the research and proposed solutions to the problem of correct SSL / TLS implementation, you can download the paper.