Another warning about Android apps

Matrix Style Password Graphic
Image from Shutterstock.com

A security vendor has raked the Google Play store and the Android ecosystem over the coals for allowing apps that have SSL vulnerabilities  susceptible to man in the middle attacks to be made available to the public.

The “attacks they enable are wreaking havoc on data security,” researchers at FireEye Inc. said in a blog posting on Thursday.

“The FireEye Mobile Security Team analyzed Google Play’s 1,000 free most downloaded Android applications and found that a significant portion of them are susceptible to MITM attacks. These popular apps allow an attacker to intercept data exchanged between the Android device and a remote server. We notified the developers, who acknowledged the reported vulnerabilities and addressed them in subsequent versions of their applications.”

As an open ecosystem, Android apps have long been criticized by security pros as being among the riskiest mobile applications unless they are from reputable publishers. Google scans the Play store for vulnerabilities, but the FireEye analysis suggests it still isn’t doing a good enough job,

Incorrect use of the Android platform’s SSL libraries can expose applications to MITM attacks, write the researchers, where traffic from the application to a server or vice versa can be intercepted, exported, modified or redirected.

Of the 1,000 apps studied, 674 had at least one of these three vulnerabilities:

  • Trust managers that don’t check certificate chains from remote servers, making it possible for an MITM attack to succeed. Verifying certificates to ensure that they are signed by a known and trusted Certifying Authority (CA) is an integral part of certificate- based, client-server communication.

Of the 614 applications that use SSL/TLS to communicate with a remote server, 448 (~73 per cent) do not check certificates;

  • Replacement of platform hostname verifiers by application hostname verifiers that don’t verify the hostname of the remote server. Having a trust manager that checks certificates is not sufficient in this case, as the attacker may have a certificate signed by a trusted certifying authority and may present a valid certificate chain. Therefore, to prevent a MITM attack, the hostname of the server extracted from the CA-issued certificate must match the hostname of the server the application intends to connect;

About 50 apps (eight per cent) had this problem;

  • Applications ignoring SSL errors when they use WebKit to render server pages in mobile applications.

Of the 285 apps that use Webkit, 219 (~77%) ignore SSL errors generated in Webkit.

Among the problems are apps where the developer’s own code is fine but third-party libraries used have vulnerabilities.  These can include the Flurry ad library prior to version 3.4, and the Chartboots ad library prior to version 2.0.1.

Apps the researchers found that are inherently vulnerable include Camera360 Ultimate, which fixed the issues on July 29.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News