Encryption found insufficient in many Android apps
Source: Fahl, Harbach, Muders, Smith, Baumgärtner, Freisleben Researchers have discovered catastrophic conditions when analysing Android applications that use encryption: more than 1,000 of the 13,500 most popular Android apps showed signs of a flawed and insecure implementation of the SSL/TLS encryption protocol. Tests performed on 100 selected apps confirmed that 41 of them were vulnerable to known attacks. The researchers harvested users' bank and credit card details as well as the access tokens for their Facebook, Twitter and email accounts, and messaging services.
In a particularly striking test, the researchers injected a bogus virus signature into Zoner AntiVirus for Android that referred to the app itself. The AV app dutifully proceeded to classify itself as a threat and then offered to delete itself.
The researchers first examined the apps for typical signs that the code might insufficiently check the certificates which verify a communication partner's identity. As they could not be completely certain that the identified code was actually being used, they then carried out targeted man-in-the-middle attacks to crack the encrypted connection.
The vulnerabilities they found can be divided into two categories: 20 apps simply accepted any certificate, while the other 21 did check whether the certificate carried a valid signature, but didn't verify whether it was issued to the correct name. This allowed the security experts to fool the anti-virus software with a valid certificate for its own server. The H's associates at heise Security discovered the same type of problem two years ago in an iPhone banking app (S-Banking iPhone app).
The researchers from Leibniz University in Hannover and Philipps University in Marburg have compiled their findings in a paper entitled "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security". They plan to release the MalloDroid tool that they developed for their code analysis in the near future. While the experts haven't disclosed any actual names, the affected applications don't seem to be among the particularly obscure ones: according to Google Play, the apps that are affected by the holes have been installed 39.5-185 million times.