Some Android apps have serious SSL vulnerabilities, researchers say

Jon Gold (Network World)
19 October, 2012 20:44
Comments

A team of researchers from two German universities has released a study asserting that many of the most popular free apps available through the Google Play store may be vulnerable to man-in-the-middle attacks -- seriously threatening user privacy.

The researchers, from the Universities of Hannover and Marburg, studied the 13,500 most popular free apps on the Play store for SSL and TLS vulnerabilities. They found that 1,074 of the applications "contain SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks," according to a summary posted online.

Additionally, the scientists performed a manual audit of 100 apps for a more definitive look at potential security issues, finding that 41 were open to man-in-the-middle attacks because of SSL vulnerabilities. They said that the vulnerable apps could be exploited, allowing an attacker to steal highly sensitive usernames and passwords for Facebook, WordPress, Twitter, Google, Yahoo and even online banking accounts, among others.

Similar vulnerabilities, the team added, could be used to manipulate antivirus software on the phone, changing definitions to include benign apps or ensure that malicious ones are ignored.

"The cumulative install base of the apps with confirmed vulnerabilities against MITM attacks lies between 39.5 million and 185 million users, according to Google's Play Market. Actually Google's Play Market does not give a precise number of installs, instead giving a range. The actual number is likely to be larger, since alternative app markets for Android also contribute to the install base," the researchers wrote.

According to the H-Online, the team plans to make the code analysis tool it developed for the research public "in the near future."

Email Jon Gold at jgold@nww.com and follow him on Twitter at @NWWJonGold.

Read more about wide area network in Network World's Wide Area Network section.

"Suggesting that people's "purpose is to get information to flow through the ..."

Why change management doesn’t work
"Darn those pesky laws that get in the way of commercial exploitation ..."

Larry Page wants to see your medical records
"Instead of partitioning the device between corporate and personal data, another approach ..."

Dual-Persona Smartphones Not a BYOD Panacea
"Well that's a nice back-handed compliment isn't it? So now, finally, my ..."

After two-year hiatus, EFF accepts bitcoin donations again
"Actually, both Mobile App developers and CIOs should be blamed for it. ..."

CIOs struggle to deliver timely mobile business apps: survey

Tags: Networking, wireless, Android security, Android, anti-malware, mobile apps, Facebook, SSL vulnerability, consumer electronics, Google, security, mobile security, smartphones, software, Google Play Store

Latest Blog Posts

Whitepapers

Android Malware Exposed
Take an in-depth look at the evolution of android malware. The world of malware targeting the Android OS is similar yet very different from malware affecting Windows. Explore the rapidly evolving world of android malware and shed light on the various techniques used to exploit devices using this OS.

Learn more »
In Control at Layer 2: A Tectonic Shift in Network Security
Network hacking and corporate espionage are on the rise and set to intensify. Information security risks remain commonplace, and most organisations need to increase vigilance. This paper has analyses the realistic threats to fibre optic Ethernet networks – both at the LAN and WAN level. Read now.

Learn more »
Benefits of Deploying Microsoft Exchange Server 2010 on Dell Compellent with Data Progression
Messaging and collaboration platforms have emerged as mission critical applications, consuming a large portion of IT spending for organisations. The rich features in these applications have significantly changed the messaging requirements and needs of today’s information from anywhere with any device, the result is an ever increasing demand on storage systems both in terms of capacity and bandwidth. Many organisations are rethinking their storage strategies to meet the demanding criteria and to handle the future requirements. Read more.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

FTJob Title: Mac Systems/ Enterprise Systems EngineerNZ
FTSenior Python DeveloperNSW
FTOS Web Applications DeveloperNSW
FTTechnical Business AnalystNSW
FTFlash / ActionScript Developer - ContractNSW
FTLead Software EngineerSA
FTR&D EngineerSA
FT.NET - Sitecore Developer - Melbourne - PermNSW
FTQuality ManagerSA

Zones

Featured Whitepapers

The Power of Cloud

Although cloud is widely recognized as a technology game changer, its potential for driving business innovation remains virtually untapped. To take advantage of cloud’s potential to transform internal operations, customer ...

Recent comments

"Suggesting that people's "purpose is to get information to flow through the ..."
Why change management doesn’t work
"Darn those pesky laws that get in the way of commercial exploitation ..."
Larry Page wants to see your medical records
"Instead of partitioning the device between corporate and personal data, another approach ..."
Dual-Persona Smartphones Not a BYOD Panacea
"Well that's a nice back-handed compliment isn't it? So now, finally, my ..."
After two-year hiatus, EFF accepts bitcoin donations again
"Actually, both Mobile App developers and CIOs should be blamed for it. ..."
CIOs struggle to deliver timely mobile business apps: survey

Follow CIO

Market Place

Deploying mobility worthwhile challenge hear what CIOs have to say.. Read more

Australian Breakfast Road Show: Enabling Proactive Security for Tomorrow's Business Trends

Switch on The Symantec Business Critical Virtualisation Content Zone

Now out of the office never means out of the loop. Office 365 – your complete office in the cloud.

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Some Android apps have serious SSL vulnerabilities, researchers say

Recommended

BYOD and ITSM: What you need to know

The pros and cons of IT offshoring

Tapping into social experience: Tourism Australia

Homeless multinationals and taxing decisions

IT sourcing: in or out?

Avoiding your cloud vendor’s success trap

10 Tips for Dealing with a Bully Boss

5 open source help desk apps to watch

How to define the scope of a project

PMBOK vs PRINCE2 vs Agile project management

CenITex to become service “broker”

Opinion: Why national e-health is not for everyone

Dual-Persona Smartphones Not a BYOD Panacea

Larry Page wants to see your medical records

eBay bids on big data challenge

Big Data Gold Isn't Always Where You Would Expect It

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

The Power of Cloud

Enable Flexible Working

NetApp FAS6240 Clustered SAN Champion of Champions

Best Practices for ERP Implementation

Legal Compliance in Electronic Record Keeping