Android applications are once again in the hotseat over possible security vulnerabilities.
Security researchers at the Leibniz University of Hanover in Germany recently released a study (PDF) examining the way in which legitimate Android applications in the Google Play marketplace respond to attacks on security protocols known as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). In eight percent of those cases, the researchers found that apps used the security protocols improperly, leaving sensitive data open to hackers with some know-how.
The security team, however, didn’t suggest that anyone has yet deliberately exploited these vulnerabilities.
SSL and TLS are popular security protocols employed across the Web and in Android apps. The protocols encrypt network connection segments to allow for supposedly safe data transmission of sensitive information. However, the researchers argue that some Android applications that connect to the Web and need to transfer data, such as passwords and account information, aren’t using the SSL and TLS protocols properly.
“We introduce MalloDroid, a tool to detect potential vulnerability against Man-In-the-Middle (MITM) attacks,” the researchers wrote. “Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data.”
MITM attacks occur when a third party — a hacker, thief, spy or what-have-you — inserts itself into a connection between two devices while maintaining the illusion that they are only communicating with each other. All the while, the hacker is capturing the data.
The team found that over 1,000 applications are willing to communicate over SSL with anything that sends out a certificate to communicate. That, the researchers say, allows for MITM attacks, since the third-party hacker can quickly connect with an app.
To further determine the extent to which the vulnerabilities could affect users, the researchers chose 100 apps to analyze. Of those, 41 were confirmed to contain vulnerabilities. When exploiting those vulnerabilities, the researchers found that they were able to access credentials for everything from credit cards to social media accounts.
Making matters worse, the researchers found that of those 41 apps, the cumulative install base of the apps is somewhere between 39.5 million and 185 million users, as determined by the range of application downloads provided by the Google Play store. Three of the applications had user install bases of 10 to 50 million.
What can be done to address the problems? Improved permissions and policies built into the operating system might help; so would policies that prevent developers from using their own methods for handling SSL or TLS. The researchers say that Google should also consider checking apps for vulnerable SSL/TLS code before allowing them into its marketplace.
CNET has contacted Google for comment on the findings. We will update this story when we have more information.