22 Oct 2012

SSL Flaws Make Android Apps Vulnerable to Attack


More than 17 per cent of Android apps are vulnerable to man-in-the-middle attacks because of their insecure SSL/TLS code, according to a paper from Leibniz University in Hannover.

The German research revealed 1,074 out of a sample of 13,000 Android apps may be exploited by hackers to expose sensitive data. The vulnerable apps include code that either bypasses SSL verification by accepting all certificates (790 apps), or accepts all hostnames as long as a Certificate Authority signed the certificate (284 apps).

By exploiting those vulnerabilities, hackers can capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime.

“We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely,” researchers said.

The paper included an online survey that showed half of respondents can’t correctly judge whether or not their Android’s browser session was protected by SSL/TLS.

For the analysis, German researchers used a tool that scans SSL implementations. MalloDroid will be available as a Web app and as part of the Androguard security scanner.