Security researchers have found that popular Android apps downloaded by as many as 185 million are vulnerable to attackers to obtain bank account info thanks to poor implementation of SSL and TSL security, researchers have found.
A paper published at the ACM Conference on Computer Security 2012 looked at how Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols were implemented in 13,500 most popular free apps from Google’s Play Market.
Researchers then studied their properties with respect to the usage of SSL, with emphasis on the apps’ vulnerability against Man-in-the-Middle (MITM) attacks due to the inadequate or incorrect use of SSL.
The results were appalling. Forty-one of the 100 apps selected for manual audit were vulnerable to MITM attacks due to various forms of SSL misuse. From the 41 offending apps, the researchers could capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime.
Overall, 1,074 apps contain SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks. The research group were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.
The apps aren’t warning users about potential exposure, either. Half of the Android users who participated in an online survey — 378 out of the 754 — did not judge the security state of a browser session correctly while 419 of the 754 participants (55.6%) had not seen a certificate warning before and typically rated the risk they were warned against as medium to low.
“Data cannot be made safe using only transport encryption, or relying on the device encryption itself. This research shows how inadequate that approach really is and how attackers or even the curious can bypass it with trivial ease. The only alternative is to ensure the data is protected under the direct control of the enterprise, beyond the device ? at the data level ? by granular policy,” said Mark Bower, data protection expert and VP at Voltage Security.
To detect leaks, researchers at Zscaler ThreatLabZ have developed a free tool called Zscaler Application Profiler that lets you check the security of any app before you download it. It lets you know if an app leaks your username and password, UDID info, PII, and more.
This security lapse should give pause to anyone engaged in the whole BYOD trend in the workplace, because even though smartphones and tablets have encryption, they aren’t using it very well.
“When organizations get asked to provide sensitive application access to mobile devices beyond just email, the security of the device itself and its underlying controls becomes more important. This ‘next app’ phenomenon is going to drive the need for more advanced security scrutiny and controls for mobile devices beyond simply mobile OS management. This recent SSL issue showing susceptibility to MITM attacks is an eye opener that trusting mobile platforms comes at some risk,” said Eric Ahlm, research director for security at Gartner