Research has shown that thousands of popular apps in the Google Play store may leave sensitive information exposed.
A paper (.pdf) released by researchers from Leibniz University in Hannover and Philipps University of Marburg, found that 17 percent of the Secure Sockets Layer (SSL)-using apps analyzed in a study -- biased towards free, popular applications -- were vulnerable to man-in-the-middle MITM attacks.
Man-in-the-middle attacks are similar to eavesdropping -- when an attacker intercepts messages, fakes authentication and may inject new information while impersonating a different source.
1,074 apps in a sample of 13,500 contained flaws in their SSL implementation, the researchers stating that these apps contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks". From this sample, the teams manually created MITM attacks against 100 out of the set.
Through the attacks, data was fraudulently captured including "credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo,Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts." In addition, the team wrote:
"Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."
This wasn't the end of such vulnerabilities. By creating a proof-of-concept tool called MalloDroid which finds potentially exploitable SSL programming, the researchers were able to manipulate virus signatures to update the functionality of an anti-virus app to kill off mobile device protection or even remove applications.
It was also possible to remotely inject and execute code in an app created by a vulnerable app-building framework.
Although weak coding may never actually be used during operation, it is also important to note that a follow-up survey of 754 participants suggested that many app developers are not making security indicators clear enough to users -- and so may not recognize the difference between a secure or open browser session.