Study finds security holes in Android apps millions download

Android Security
That app might not be as secure as you hope

Those free third-party apps for Android may not be as secure as most consumers think.

A group of computer scientists showed that as many as 185 million Android users could be exposing online banking info and social network credentials along with email/IM contacts and content.

The researchers identified 41 apps on Google's Play Market for Ice Cream Sandwich that leaked important information as it goes from phone to end server.

The scientists didn't publicly identify the infected apps but did say they were downloaded 39.5 million to 185 million times. Researchers blamed certificate authorities and websites for not putting in the proper protections.

The group, which consist of computer scientists from Germany's Leibniz University of Hannover and Philipps University of Marburg, presented its findings at this week's Computer and Communications Security conference.

Attacking Android

The scientists recreated app use on a local area network to test an array of well-known exploits to steal sensitive information.

The researchers were able to break the secure sockets layers (SSL) and transport layer security (TLS) protocols used by apps to protect user's info. Though SSL and TLS technology is considered generally safe, breaches can occur when developers or websites don't take the proper steps to protect users.

"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote in their paper.

"Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."

Android app: the study

The scientists started by downloading 13,500 free apps from Google Play and tested whether their SSL implementation was vulnerable to exploitation.

The researchers were curious how well these apps could stand up to Man-In-The-Middle (MITM) attacks, which target information that transfers over public Wi-Fi hotspots and other insecure networks.

After the static analysis the team found that 8 percent (or 1,074 apps) contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."

The researchers then picked 100 of the apps to manually audit by connecting them to a network that used an SSL proxy.

The findings

In some cases, apps accepted SSL certificates that were signed by the researchers even though they weren't a valid certificate authority. Other accepted certificates authorized a domain name to access user's data that wasn't the site the app was supposed to access.

Scientists successfully used SSLstrip attacks as well, which replaced SSL protocols with their own unencrypted version. Some apps also accepted certificates signed by authorities that were no longer valid.

Examples include an anti-virus app which accepted invalid certificates and allowed the team to feed its own malicious signature. Also a third-party app for a "popular Web 2.0 site with up to 1 million users" leaked Facebook and Google credentials when logged onto those sites.

The researches didn't disclose what specific apps were vulnerable, presumably so the susceptible apps wouldn't be branded easy targets. Instead they used general terms such as "very popular cross-platform messaging service."

Most of the programs used in the study seemed to be free, third-party apps rather than the official versions from sites and services.

Google not to blame, but can do plenty to help

The group also noted that none of the apps were developed by the search giant, but Google's engineers can help make these apps secure. One way is to make it clearer to users when the connection provided by an app is encrypted and when it isn't.

The study shows how vulnerable SSL and TLS protocols can be when developers don't take the proper steps to secure their infrastructures. Since SSL and TLS created the basis for almost all security for getting data from user to server, those software engineers should take note.

The authors pointed out a few methods Android developers can better protect their apps. One way is Certificate pinning, which makes it a lot tougher for apps to accept fake certificates.

But it seems like you get what you pay for when trusting sensitive information with a free third-party banking application.

Users looking to protect themselves can subject apps to the same static analysis as scientists did when downloading new programs. Or concerned users might want to refrain from transmitting personal data over public, unsecured Wi-Fi networks.

Via Ars Technica, the study "Why Eve and Mallory Love Android"