An analysis of thousands of apps found nearly 8% of them are vulnerable to what’s called a man-in-the-middle attack. That’s when a hacker intercepts data between the app and a Web server.
Developers prevent this type of digital eavesdropping by implementing a cryptographic protocol called a secure sockets layer of protection. But researchers from the Leibniz University in Hanover and Philipps University of Hamburg found is that many Android developers do a miserable job implementing secure sockets layer.
Using a self-built tool for identifying exploitable secure-sockets-layer, or SSL, bugs, the researchers analyzed 13,500 popular free apps on Google Play and found 1,074 vulnerable to man0in-the-middle attacks. The researchers examined 100 apps manually and found 41 with the same flaws.
The cumulative installed base of all vulnerable apps ranged from 39.5 million to 185 million devices, according to data the researchers gathered from Google Play.
“The actual number is likely to be larger, since alternative app markets for Android also contribute to the install base,” the researchers said in an overview of their findings.
So what were the researchers able to do with the security hole? Quite a bit.
From the 41 apps analyzed manually, the researchers captured credit-account numbers, bank account information, and logons and passwords for a bunch of sites, including American Express, Diners Club, PayPal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID and Box.
The researchers also were able to disable anti-virus apps, and remotely inject and execute code.
For a hacker to do the same in the real world would not be easy, but it is possible. Man-in-the-middle attacks typically occur over compromised public Wi-Fi networks. In response, companies often set up virtual private networks for mobile employees to use when accessing corporate networks over the Internet.
Security experts were not surprised by the findings. Mobile-app development is immature, so mistakes in implementing something as complicated as a security protocol are expected. The same problems with secure sockets layer are found in site development, which has been around for 20 years.
With mobile apps, problems arise when the rush to get products to market lead to mistakes. Or the developer may not know how to properly secure a product, said Chester Wisniewski, senior security adviser for anti-virus vendor Sophos. Secure sockets layer is a fragile, multi-part technology and if any one piece is not set right, nothing works.
Carelessness also plays a part. Developers sometimes skip implementing secure-sockets-layer rules in beta versions of an app, and never go back when the app becomes generally available, Wisniewski said.
“Most developers don’t really understand how SSL actually works,” he said. “They just know that they’re suppose to use it.”
Fixing the problem
For a long time, experts have said that the biggest problem with Android apps is the lack of oversight. In many markets, apps go on sale before they are properly vetted, which leaves users at risk of downloading spyware, trojans and seriously flawed products.
Google Play is one of the most trusted Android markets. To combat malware, Google uses an automated system to examine each app. Nevertheless, as the latest research shows, the bar for quality remains too low, and much more needs to be done to protect users.