SSL Flaws Found in Android Applications, Leave Users Open to Attacks
Researchers from the Leibniz University of Hanover and the Philipp University of Marburg in Germany discovered evidence that a hefty number of Android apps expose their users to insecure connections, leaving users vulnerable to attacks. The researchers analyzed 13,500 Android applications, some of the failing to secure connections using the SSL/TLS cryptographic protocol.
Of the 13k apps 1074 apps contained code that’s vulnerable to the type of MITM (man in the middle attack). This type of strike intercepts regular traffic and modifies the data before sending it to its intended destination. The diagnostic of the app was done with an automated tool called MalloDroid, that checks SSL certificates and searches for poor practices. After the analysis, researches looked into 100 more apps to research manually. That hundred were apps potentially vulnerable and 41 of them were confirmed to be vulnerable to MITM attacks.
They can even capture important credentials for American Express, PayPal, bank accounts, Twitter, Facebook, WordPress and many more. One of them was an antivirus app, unbelievable as that may seem. The problem here is the poor practices applied by developers, but they’re not the only ones to blame, since Android is also guilty here. The OS doesn’t provide visual feedback to show whether or not you’re on a secure SSL channel in the browser, like most modern browsers do.
The problem is even met in Play Store, that can be tested with an invalid SSL certificate, that doesn’t result in an notification that there’s a security issue. The thing is that the Android browser is actually good at SSL use, for some reason. So, what can we do to become more secure?