8% of Android apps are vulnerable to attack

How often do you use apps on your mobile device? If you’re like us, you probably connect to the web via mobile apps dozens of times per day. And, hopefully, like us, you realize that mobile devices are no safer than personal computers when it comes to sending sensitive material over the web. Unfortunately, most people don’t share this sense of caution and operate under the false confidence that mobile devices are hack-proof or somehow more secure than a PC.

But in efforts to test this sense of security, security researchers at the Leibniz University of Hanover in Germany conducted a study looking at ways popular Android apps in the Google Play marketplace handle attacks on security protocols called Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

Most browsers will show a lock image when connecting
via SSL or TLS indicating the connection is secure.

Horrifyingly, the study found that about 8% of the apps examined misused these two security protocols, leaving users’ sensitive information vulnerable to exposure. And we’re talking really sensitive data – think credit card numbers and passwords.

Fortunately, the researchers said they have no evidence these attack strategies are currently being used.

SSL and TLS work by encrypting data over network connections to, theoretically, keep user information safe from extraction. The protocols are used extensively all over the web and especially by Android applications to transmit things like credit card credentials and other sensitive data.

Researchers used a tool called MalloDroid to execute “Man in the Middle” (MITM) attacks on the selected apps. In a MITM attack, the hacker places himself in the middle of a SSL or TLS connection and monitors activity as the app communicates with its target.

We introduce MalloDroid, a tool to detect potential vulnerability against MITM attacks. Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. Furthermore, an online survey was conducted to evaluate users' perceptions of certificate warnings and HTTPS visual security indicators in Android's browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not. [LUH]

More than any time before, we, as consumers, rely on tech providers to protect our sensitive data. But the fact is, no company provides flawless security. At SumRando, we encourage all of our users to not only educate themselves on security issues, but to take responsibility for their online safety with a solid VPN.