The majority of Android's most popular apps are susceptible to SSL vulnerabilities, according to new research.
Google's Android operating system is an open-source, free framework which appeals to developers due to this unrestrictive nature. However, with such an open and free system, there is always the potential for abuse, a lack of patching and security consistency, and a wealth of Android-based operating systems and apps which many contain different vulnerabilities that can be exploited.
After analyzing the 1,000 most-downloaded free Android applications in the Google Play store, the FireEye Mobile Security Team found that a significant portion of them are susceptible to Man-In-The-Middle (MITM) attacks. According to a blog post published Thursday, the researchers found that as of July 17, 2014, 674 out of 1,000 contained at least one of three SSL vulnerabilities studied.
In other words, 68 percent of the most popular apps could become a pathway for cybercriminals to lift sensitive data.
Man-In-The-Middle (MITM) attacks occur when an attacker is able to intercept data exchanged between a device and a remote server. Once intercepted, data can be lifted freely -- which could include usernames and passwords, emails, device ID, location, photos and video. In addition, the vulnerability explored allows criminals to inject malicious files into vulnerable applications, launch DDoS attacks, or hold user data for ransom.
The security team says that many of these vulnerabilities were traced back to configurations within advertising libraries used by app developers, which allows advertisements to be displayed without the app creator having to develop the library themselves.
While the HTTPS protocol is often used to make it harder to intercept data, the incorrect use of the Android platform’s SSL libraries can become the weak link which allows MITM attacks.
FireEye looked at three particular SSL vulnerabilities within its research -- the use of trust managers that do not check certificates, using hostname verifiers that do nothing and SSL errors in Webkit being ignored. Out of the 1,000 most-downloaded free apps in Google Play, out of 614 applications that use SSL/TLS to communicate with a remote server, 73 percent did not check certificates, and 8 percent used their own hostname verifiers that do not check hostnames. Out of 285 apps which used Webkit, 77 percent ignored SSL errors generated.
The developers of vulnerable apps discovered were notified by the FireEye team, and were subsequently acknowledged with the promise of addressing the vulnerabilities in subsequent versions of their applications.
In addition to this sample, the team also roughly 10,000 Google Play apps, and estimate that approximately 40 percent use trust managers that do not check server certificates, exposing any data they exchange with their servers to potential theft. Furthermore, around seven percent use hostname verifiers that do not check anything, and 13 percent do not check SSL errors when Webkit is used.