68 percent of top free Android apps vulnerable to cyberattack, researchers claim

68 percent of top free Android apps vulnerable to cyberattack, researchers claim

Summary: Security researchers at FireEye claim the majority of the most popular free Android apps are susceptible to Man-In-The-Middle (MITM) attacks.


The majority of Android's most popular apps are susceptible to SSL vulnerabilities, according to new research.

Google's Android operating system is an open-source, free framework which appeals to developers due to this unrestrictive nature. However, with such an open and free system, there is always the potential for abuse, a lack of patching and security consistency, and a wealth of Android-based operating systems and apps which many contain different vulnerabilities that can be exploited.

After analyzing the 1,000 most-downloaded free Android applications in the Google Play store, the FireEye Mobile Security Team found that a significant portion of them are susceptible to Man-In-The-Middle (MITM) attacks. According to a blog post published Thursday, the researchers found that as of July 17, 2014, 674 out of 1,000 contained at least one of three SSL vulnerabilities studied.

In other words, 68 percent of the most popular apps could become a pathway for cybercriminals to lift sensitive data.

Man-In-The-Middle (MITM) attacks occur when an attacker is able to intercept data exchanged between a device and a remote server. Once intercepted, data can be lifted freely -- which could include usernames and passwords, emails, device ID, location, photos and video. In addition, the vulnerability explored allows criminals to inject malicious files into vulnerable applications, launch DDoS attacks, or hold user data for ransom.

The security team says that many of these vulnerabilities were traced back to configurations within advertising libraries used by app developers, which allows advertisements to be displayed without the app creator having to develop the library themselves.

While the HTTPS protocol is often used to make it harder to intercept data, the incorrect use of the Android platform’s SSL libraries can become the weak link which allows MITM attacks.

FireEye looked at three particular SSL vulnerabilities within its research -- the use of trust managers that do not check certificates, using hostname verifiers that do nothing and SSL errors in Webkit being ignored. Out of the 1,000 most-downloaded free apps in Google Play, out of 614 applications that use SSL/TLS to communicate with a remote server, 73 percent did not check certificates, and 8 percent used their own hostname verifiers that do not check hostnames. Out of 285 apps which used Webkit, 77 percent ignored SSL errors generated.

Screen Shot 2014-08-22 at 09.20.01

The developers of vulnerable apps discovered were notified by the FireEye team, and were subsequently acknowledged with the promise of addressing the vulnerabilities in subsequent versions of their applications.

In addition to this sample, the team also roughly 10,000 Google Play apps, and estimate that approximately 40 percent use trust managers that do not check server certificates, exposing any data they exchange with their servers to potential theft. Furthermore, around seven percent use hostname verifiers that do not check anything, and 13 percent do not check SSL errors when Webkit is used.

Read on: US, German researchers create framework for core Android security modules

Topics: Mobility, Android, Apps, iOS, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Just 68%

    Android is getting secure :-D
    • Yeah

      And this research was brought to you by Apple and Microsoft.
      • Apple and Microsoft? Really?!

        FireEye has a service that they want to sell:

        Rabid Howler Monkey
  • Bahahaha....Android is full of security holes.

    Its too easy to abuse Android, developers can easily steal personal data from Android. Its a platform designed to be abused.... and Google benefits from it.

    Get a windows phone, its better and cheaper
    • Quoting you

      " Users being stupid is not an MS problem"
  • Typical troll response

    And here goes Loverock's alter-ego - the brudder with another mutha, Owl:Net who is is obsessed with Windows and all things MS that his clownish behavior and crass stupidity is so lost on him he really thinks deep down in his veins that he has one coherent thought stuff up there in his noodle (when in fact the last train left station yeas ago).

    'Get a Windows phone" he states, "its (sic) better" - a subjective statement in it's own right as better is different things to different folk "and cheaper" which is a ridiculous statement because one can pick up Android phones for free, just as you can for Windows devices etc.

    He might as well have stated (against Ford owners) by a Chevrolet, it's better and cheaper.

    What a total and utter maroon.
    Lost In Clouds of Data
    • typo

      Buy, not by...
      Lost In Clouds of Data
      • typo (2)

        Not to mention "in it's own" (should be "its" in case you still have not noticed)...

        Physician, heal thyself and/or join the chorus demanding an Edit button. Or start a new call to have ZDNet switch to Disqus, which also allows notification of new comments and responses to one's own.
        With ZDNet I have to keep the tab open and scroll through the comments list (or have I missed something?).
        • Not the use of (sic)

          I wasn't complaining about his misuse since I know I'm just as bad (as was shown) with f'ups. Using (sic) is simply stating that the error being quoted is being quoted warts and all with the full knowledge that it's incorrect. It's not necessarily a judgement - it's simply a statement.

          And yes, ZDNet so badly needs a bloody edit button it's unreal. Even el Reg gives you a 10 minute odd window to correct. C'mon Ziff Davies, get with the 20th century already (perhaps they'll reach the 21st in another 20 years)....
          Lost In Clouds of Data

      Thanks for the mention!
      • You deserve to be mentioned, LD!

        Your jokes in here are funny, and I really respect you as a comedian. You're funnier than Mike Cox, in my opinion.
      • She, not he

        Just so's you know, Lovy ol' Rock.
        Lost In Clouds of Data
  • Who cares?

    Anyone using Android, Windows Phone or the other platform, can't be doing real work or have personal and sensitive information on it. This is a basic security rule. So, what is the point of it?
    I do still use Android and my kid too, for games, most of the time. A little GPS stuff and nothings more. No, I don't surf the web on the WP8. Nor in the Android. That would be really stupid.

    I do use my Windows Phone for email and for my daily stuff, but I don't trust it too much information, and I only use wireless communication when I need it.

    The work in done in the PC. Everything else is for fun and games.

    Oh, of course I don't use "fakebook" and those "social" strange and dangerous apps.

    Bottom line, I do like Android and Windows Phone 8, but you do have to take care on what you choose to install, because not everybody knows how to configure a router to track all traffic from the device and inspect it on the log server.
  • Android is living on borrowed time

    At some point, the malware miscreants are going to start attacking Android's many vulnerabilities rather than wait for an unsuspecting user to download and install an app from an unknown source (which is not the default in Android).

    I hope that Google understands the various Android security issues. In addition, I hope that Google fixes them before porting Android apps to Chrome OS, which is a relatively secure platform.
    Rabid Howler Monkey
  • I Like These FUD Blog Posts

    I can use them to scare my friends and family into stop doing stupid stuff. It hasn't worked yet, but there is always a hope.
  • Still waiting

    We know that Windows XP is a hackers dream and they can infect that OS at will almost. But other than users installing crap from 3rd party stores, we still have not seen any major infection of Android. Not from WiFi connection, the browser, Bluetooth, etc. Even all these fear stories about issue with Google Play store apps have not come to light.

    Don't get me wrong, I think Google needs the pressure to cont. to secure their OS but so far all of these exploits are non-existent.
    Rann Xeroxx
  • Android Security?

    My Android machines do not have any confidential stuff on them. If I want to buy apps, I just purchase a Google Play card for $10 or $25 and use that. I will not put my Credit Card numbers or any information on them into Android. Financial Institutions should issue credit cards with $250 to $500 limits so if someone get ahold of them, they will be seriously limited to dollar amounts. These cards could be used for Internet Purchases. Every Credit card should have a pin number that is not on the card and has to be entered by the owner when it is used. The so called security code number on the back of the card is not secure at all when you use it at at Restaurant or Bar or anyplace where the card leaves your hands. Windows is probably more secure, but then it's complexities make it hard to design and build inexpensive devices using it.
    For me personally, Android is for fun and games and I use W7 for any financial transactions.
  • Apps Man, Apps

    They aren't talking about the OS not being secure, they're talking about the free Apps available. I'm on a Linux system that's locked down tighter than a ducks butt in the water, but that won't do any good if I install an app that is infected or an unsecure app that don't have proper security checks in its sub-routines.
    I just inherited a nice smart-phone running Android, the first thing I did was to go through the dozens of apps installed and removed the ones that were known to have security/privacy issues, and it wasn't just the free apps that had to go....
  • easy to secure android

    androids problem is not really googles problem or the users problem its the manufacturer who does the most harm to the androids security by not upgrading, sprint still sells phones that are on android version 2.3, which was released 4 years ago, ... now realize that there is a version 4.4.4

    As long as your device gets regular updates to android, my old nexus 7, got it in 2012, still does, its on 4.4.4, and you install "app ops", which will let you control the permissions that any app is allowed to have, so even if you do get that game that is going to try to steal your phonebook get things stolen in a man in the middle attack and eat your kitten, how is it going to be able to do anything when it doesn't even have access to the internet or your contacts or your kitten? Every app run by an android plays in its own sandbox, it doesn't have access to anything without a permission, which you see a list of everytime you install an app. Be smart read don't install things that have weird permissions, like, "send and receive mms" "or make and recieve calls" for a game where you squish ants with your finger, unless you really need the ants to call 900 numbers. If you have to unstall aps like that use "app ops" to restrict their permissions.

    Just look up "app ops" in the play store. And quit buying devices that manufacturers have no intention of supporting.