Google has been trying to up the quality of apps in the Google Play store. However, Android apps still lack a lot when it comes to security and quality, in comparison with iOS apps. Now, a new group of researchers has confirmed this, citing poor SSL implementations in many Android apps.
The research was a joint collaboration between multiple German universities and during the course of it, 13,500 popular Google Play apps were analysed. Surprisingly, more than 1,000 of these apps had rather poor SSL/TLS implementations, leaving them open to serious security exploits.
Poor SSL implementation in an app leaves it open to the middle-man attack. This means that a person can intercept critically important data between the user and the app developer. The data may comprise of personal information as well as financial credentials.
To prove the case, the researchers mounted a proof-of-concept attack against the vulnerable apps and were able to gather credit card numbers, bank account details as well as detailed information of the users’ social media accounts.
According to the paper published by these researchers, “Of the 100 apps selected for manual audit, 41 apps proved to have exploitable vulnerabilities. We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.”
While that serves as a reminder for Google to improve the security of the apps it hosts on Google Play store, it is also a warning for the users. While the official apps from notable vendors are often fool-proof security-wise, third-party apps are not always secure.
A security researcher advised Android users to be careful when using such third-party apps, “As far as users go, I think the biggest lesson to be learned is that downloading third-party unofficial apps can be risky (eg. downloading an unofficial banking app instead of the one actually released by your bank) for a number of reasons including poor coding practices.”
Source: Research Paper
Courtesy: Threat Post