A security vendor has raked the Google Play store and the Android ecosystem over the coals for allowing apps that have SSL vulnerabilities susceptible to man in the middle attacks to be made available to the public.
The “attacks they enable are wreaking havoc on data security,” researchers at FireEye Inc. said in a blog posting on Thursday.
“The FireEye Mobile Security Team analyzed Google Play’s 1,000 free most downloaded Android applications and found that a significant portion of them are susceptible to MITM attacks. These popular apps allow an attacker to intercept data exchanged between the Android device and a remote server. We notified the developers, who acknowledged the reported vulnerabilities and addressed them in subsequent versions of their applications.”
As an open ecosystem, Android apps have long been criticized by security pros as being among the riskiest mobile applications unless they are from reputable publishers. Google scans the Play store for vulnerabilities, but the FireEye analysis suggests it still isn’t doing a good enough job,
Incorrect use of the Android platform’s SSL libraries can expose applications to MITM attacks, write the researchers, where traffic from the application to a server or vice versa can be intercepted, exported, modified or redirected.
Of the 1,000 apps studied, 674 had at least one of these three vulnerabilities:
- Trust managers that don’t check certificate chains from remote servers, making it possible for an MITM attack to succeed. Verifying certificates to ensure that they are signed by a known and trusted Certifying Authority (CA) is an integral part of certificate- based, client-server communication.
Of the 614 applications that use SSL/TLS to communicate with a remote server, 448 (~73 per cent) do not check certificates;
- Replacement of platform hostname verifiers by application hostname verifiers that don’t verify the hostname of the remote server. Having a trust manager that checks certificates is not sufficient in this case, as the attacker may have a certificate signed by a trusted certifying authority and may present a valid certificate chain. Therefore, to prevent a MITM attack, the hostname of the server extracted from the CA-issued certificate must match the hostname of the server the application intends to connect;
About 50 apps (eight per cent) had this problem;
- Applications ignoring SSL errors when they use WebKit to render server pages in mobile applications.
Of the 285 apps that use Webkit, 219 (~77%) ignore SSL errors generated in Webkit.
Among the problems are apps where the developer’s own code is fine but third-party libraries used have vulnerabilities. These can include the Flurry ad library prior to version 3.4, and the Chartboots ad library prior to version 2.0.1.
Apps the researchers found that are inherently vulnerable include Camera360 Ultimate, which fixed the issues on July 29.