Computer scientists from Germany's Leibniz University of Hannover and Philipps University of Marburg have found that apps downloaded by as many as 185 million people have been putting to risk online banking and social networking credentials of users, along with their e-mail and instant-messaging contents. Ars Technica now reports that computer scientists have attributed this to the fact that these programs use less than required encryption protections.
The researchers now have on them details on 41 applications in the Play store responsible for breaching user security by leaking sensitive data. These apps “traveled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services.”
Some apps on Google Play have been found to be vulnerable
Interestingly, the researchers managed a breakthrough when they managed to overcome the secure sockets layer and transport layer security protocols put it by the apps. They did this by connecting the devices to a local area network, which used a host of popular exploits. Without identifying the programs, scientists have shared that the apps been downloaded from 39.5 million and 185 million times, based on Google statistics.
The researchers could access bank account information, payment credentials for PayPal, American Express, and other details. The report quoted them as saying, “Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.” Also included in the exposed data were the contents of e-mails and instant messages.
While researchers found no evidence indicating that any of the suspicious apps were developed by Google employees, they opine that Google engineers could surely work towards ensuring that Android apps implement the encryption more securely.
The report shares further, “The findings underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and end users. While the technology itself is generally considered secure, its protection can be undermined when certificate authorities fail to secure their infrastructure or websites don't take proper precautions. The paper, presented at this week's Computer and Communications Security conference, exposes yet another point of failure, which is poor implementation by app developers.”
In his statement to Ars Technica, Jon Oberheide, CTO of mobile firm Duo Security added, “All things said, it's generally good research that should make developers more aware of these basic security deficiencies that shouldn't have made it through any respectable QA process,” “Needless to say, security isn't top of mind of most mobile developers.”
As part of their research, the scientists downloaded 13,500 free apps from Google Play and put them through a “static analysis”. These tests were to check for potential vulnerability of SSL implementations of the apps to “man-in-the-middle” exploits, wherein attackers “monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks.”
Researchers found that 1,074 apps, or eight percent of the sample contained “SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.”
From the list of 1,074 potentially vulnerable apps, the researchers picked 100, and put them through manual audit. This connected them to a network that “used an SSL proxy to test whether the SSL implemented in the devices could be defeated.”
Researchers found that on a couple of occasions, the apps accepted SSL certificates, which the researchers signed, instead of a valid certificate authority. On other occasions, “the accepted certificates authorized a domain name other than the one the app was accessing. In still other cases, the apps were defeated by attacks including SSLstrip, which researcher Moxie Marlinspike demonstrated in 2009. Some apps also accepted certificates signed by authorities that are no longer valid. (It appears the Android operating system gives end users a means to manually disable various CAs.)”