Research Says – Poor Android App SSL Implementations Leave Serious Vulnerabilities

Google has been trying to up the quality of apps in the Google Play store. However, Android apps still lack a lot when it comes to security and quality, in comparison with iOS apps. Now, a new group of researchers has confirmed this, citing poor SSL implementations in many Android apps.


Google Play

The research was a joint collaboration between multiple German universities and during the course of it, 13,500 popular Google Play apps were analysed. Surprisingly, more than 1,000 of these apps had rather poor SSL/TLS implementations, leaving them open to serious security exploits.

Poor SSL implementation in an app leaves it open to the middle-man attack. This means that a person can intercept critically important data between the user and the app developer. The data may comprise of personal information as well as financial credentials.

To prove the case, the researchers mounted a proof-of-concept attack against the vulnerable apps and were able to gather credit card numbers, bank account details as well as detailed information of the users’ social media accounts.

According to the paper published by these researchers, “Of the 100 apps selected for manual audit, 41 apps proved to have exploitable vulnerabilities. We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.”

While that serves as a reminder for Google to improve the security of the apps it hosts on Google Play store, it is also a warning for the users. While the official apps from notable vendors are often fool-proof security-wise, third-party apps are not always secure.

A security researcher advised Android users to be careful when using such third-party apps, “As far as users go, I think the biggest lesson to be learned is that downloading third-party unofficial apps can be risky (eg.  downloading an unofficial banking app instead of the one actually released by your bank) for a number of reasons including poor coding practices.”

Source: Research Paper

Courtesy: Threat Post

[ttjad keyword=”android-device”]

Salman

Salman Latif is a software engineer with a specific interest in social media, big data and real-world solutions using the two.Other than that, he is a bit of a gypsy. He also writes in his own blog. You can find him on Google+ and Twitter .

Leave a Reply