Hundreds of Android apps open to SSL-linked intercept fail

Hundreds of Android apps open to SSL-linked intercept fail

Summary: A researcher has revealed the names of hundreds of Android apps that leave users open to theft of credit card and personal information on public wifi networks.


Thanks to the boom in smartphone usage over the last few years, mobile apps have become the preferred way to do everything from dating to banking. However, while websites are securing data in transmission, mobile app developers are making a mess of it, leaving users' data unnecessarily exposed to snooping — a very real risk when connecting to public wi-fi.

One of the most common problems, according to Will Dormann from Carnegie Mellon University's CERT, is that developers are releasing apps that fail to properly validate SSL certificates for HTTPS connections.

In an effort to clean them up, he's decided to name and shame hundreds of Android apps available on Google Play and Amazon that leave users' data exposed to interception.

Among the 380 Android apps on Google Play and Amazon so far on the list include the popular SwiftKey Keyboard, μTorrent Remote, a handful of security apps, as well as ticket sales, dating, gaming, and mobile banking apps. (SwiftKey, which has an iOS 8 keyboard in the works, told ZDNet a fix for its validation of SSL certificates "will be released ASAP". A SwiftKey spokeswoman also pointed to the company's data security policy here.) 

As Dormann notes, the issue is on the radar of the US Federal Trade Commission, which recently took two firms to task for telling consumers their iOS and Android apps transmit data securely when in fact they had allegedly disabled SSL certificate verification. In each case, it left users open to an attacker intercepting credit card and other personal information going to and from the app.

While other researchers have highlighted similar problems with SSL in apps previously, Dormann notes that they either haven't notified the makers of affected products or didn’t name them. Dormann's also opted not give affected vendors the customary 45 days they would normally have to fix a problem before making the flaw public.

He outlines two main reasons for short-cutting the disclosure period:

  • If an attacker is interested in performing MITM attacks, they're already doing it. That cat is already out of the bag. They've likely set up a rogue access point and are already capturing all of the traffic that passes through it. Further supporting this suspicion is the fact that the FTC has already filed charges against the authors of two mobile applications that fail to validate SSL certificates. Knowing which specific applications are affected does not give any advantage to an attacker.
  • If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks.

So what should users do if they find that an app they’ve installed leaved their data open to snooping? Switch to the app's mobile website instead.

"Many Android applications are unnecessary in that the content they provide access to is available via other means. For example, while a bank may provide an Android application for accessing its resources, those same resources are usually available by using a web browser. By using a web browser to access those resources, you can help avoid situations where SSL may not be validated," CERT notes in its advisory.

The other is to avoid untrusted networks. "Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack," CERT adds.

Read more on Android security

Topics: Security, Android, Apps, Mobility

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ...

    Swift Key and μTorrent Remote transmit credit card information? I'm pretty sure they don't even have it. And no, this "attack" will not see keypresses by swiftkey.

    Also, the attack requires the attacker to control the WiFi access point, or equipment of the ISP. It's the same type of attack all iOS applications were vulnerable to for a while:
    • this is

      a vulnerability to whatever the app transmits. 90% of these apps won't transmit personal info anyway. it's similar to the issue of Google downranking sites that don't have HTTPS even though most sites out there don't deal with personal info and therefore don't need HTTPS, but Google feels it's better to have a blanket security out there just in case.

      some of the apps on this list though- credit card related apps and many games which presumable have in app purchases, could transmit personal info though.
      • iOS secure.. less SSL Goto fail trumps this

        First, if you share Swifts cloud, you should be hacked. Their predictive text is archaic. Even so, it's better than iOS in terms of usefulness and security.

        Laughable attempt by some no name company to try and since the secureless throne iOS sits on.
        • Out of all these Apps only few are worth a dime.

          First and foremost

          Safari browser --> expected, is this an Apple product... seems like it is.
          AT&T , Verizon apps. --> ROFL, expected
          Swift keyboard --> Never trusted their cloud.

          The rest are useless apps.
  • Bringing applications to light ...

    is the beginning. Hopefully these vendors will review their products for insecurities and fix (with a note in their respective updates about the SSL security fix), so we know that a fix has been provided.
  • Apparently, I lucked out

    I don't use any of the listed apps. I wonder how widely used they are.

    I do find it odd that all of the ones with non-English names are Korean.
    John L. Ries
    • I use one

      RunKeeper. And I don't use it all the time and I don't make any in-app purchases and I don't share the results of my workouts.
  • I've seen a number of websites

    recommend to "always use the app rather than the website because the app is more secure". assuming the website has HTTPS this often isn't at all the case. apps are a black box and for secure stuff I have a hard time trusting most of them.
    • and I'm quite sure

      that this is true for iOS and windows as much as android
    • theoilman: "apps are a black box"

      Web browsers, email clients, media players, etc. aren't black boxes too? Indeed they are black boxes, unless they are fully open source.

      Mobile app proliferation is curious. Why not use a web browser and media player instead of loading a ton of apps with dubious software quality. At least the major web browsers, email clients, media players, etc. receive some regular scrutiny from the security community.
      Rabid Howler Monkey
      • at least on a website

        you can see some things like if they use HTTPS. it's only partial information but apps give you no info at all as to their security.
  • So

    Who was it that was claiming Android is inherently more secure than iOS? Ah, yes, This guy:

    "IOs has had a security issue every few months

    For a few years now. Why are there people still using the most insecure OS out there?

    Apple has proven it can't be trusted with your personal data.

    A few years back, someone hacked Amazon's through an Apple device. SSL Goto Fail was Epic! And now two other Apple cloud services.

    Who in their right mind doesn't question Apple's responsibility on this? They charge and arm and a leg for subpar service.


    • Well...

      Those comments seem to be referring to iOS itself, where this article is about applications ran by the OS.
      Hallowed are the Ori
    • Security doesn't exist in computing

      Deal with it.
      Rabid Howler Monkey
      • Well that explains all those other accounts that simply say "deal with it"

        Mystery solved
        • @Emacho, if you are accusing me of having multiple accounts at ZDNet

          At least list those other accounts.
          Rabid Howler Monkey
      • Exactly

        Now tell it to Uralbas and drwong etc. who constantly dis Microsoft and/or Apple products and praise Linux and Leech that uses Linux and claims itself Open Source.
        Ram U
        • Leech?

          Rabid Howler Monkey
      • Matter of degree

        As in more or less secure. Complete security is probably not possible without making computers unusable.
        John L. Ries
        • If one uses an operating system designed from the beginning

          and subsequently developed with security in mind, then a case could be made that it is a "matter of degree". Do you use an OS such as Green Hills Integrity, Qubes OS or OpenBSD? If so, then I'll agree with you.

          Just realize that with Qubes OS one has to use the right virtual machine for the right task. For example, don't use one's general Internet VM (used for personal surfing, email, media streaming, etc.) for online banking or trading. Or for work-related tasks.

          And with OpenBSD, as soon as one installs an application all of the vulnerabilities associated with that application have been added to one's system. This includes installing (especially) and a desktop environment necessary to run the vast majority of user applications. A good example is the recent OpenSSL heartbleed vulnerability which impacted OpenBSD.

          Security in computing is an illusion.
          Rabid Howler Monkey