Hundreds of Android apps open to SSL-linked intercept fail

A researcher has revealed the names of hundreds of Android apps that leave users open to theft of credit card and personal information on public wifi networks.
Written by Liam Tung, Contributing Writer

Thanks to the boom in smartphone usage over the last few years, mobile apps have become the preferred way to do everything from dating to banking. However, while websites are securing data in transmission, mobile app developers are making a mess of it, leaving users' data unnecessarily exposed to snooping — a very real risk when connecting to public wi-fi.

One of the most common problems, according to Will Dormann from Carnegie Mellon University's CERT, is that developers are releasing apps that fail to properly validate SSL certificates for HTTPS connections.

In an effort to clean them up, he's decided to name and shame hundreds of Android apps available on Google Play and Amazon that leave users' data exposed to interception.

Among the 380 Android apps on Google Play and Amazon so far on the list include the popular SwiftKey Keyboard, μTorrent Remote, a handful of security apps, as well as ticket sales, dating, gaming, and mobile banking apps. (SwiftKey, which has an iOS 8 keyboard in the works, told ZDNet a fix for its validation of SSL certificates "will be released ASAP". A SwiftKey spokeswoman also pointed to the company's data security policy here.) 

As Dormann notes, the issue is on the radar of the US Federal Trade Commission, which recently took two firms to task for telling consumers their iOS and Android apps transmit data securely when in fact they had allegedly disabled SSL certificate verification. In each case, it left users open to an attacker intercepting credit card and other personal information going to and from the app.

While other researchers have highlighted similar problems with SSL in apps previously, Dormann notes that they either haven't notified the makers of affected products or didn’t name them. Dormann's also opted not give affected vendors the customary 45 days they would normally have to fix a problem before making the flaw public.

He outlines two main reasons for short-cutting the disclosure period:

  • If an attacker is interested in performing MITM attacks, they're already doing it. That cat is already out of the bag. They've likely set up a rogue access point and are already capturing all of the traffic that passes through it. Further supporting this suspicion is the fact that the FTC has already filed charges against the authors of two mobile applications that fail to validate SSL certificates. Knowing which specific applications are affected does not give any advantage to an attacker.
  • If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks.

So what should users do if they find that an app they’ve installed leaved their data open to snooping? Switch to the app's mobile website instead.

"Many Android applications are unnecessary in that the content they provide access to is available via other means. For example, while a bank may provide an Android application for accessing its resources, those same resources are usually available by using a web browser. By using a web browser to access those resources, you can help avoid situations where SSL may not be validated," CERT notes in its advisory.

The other is to avoid untrusted networks. "Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack," CERT adds.

Read more on Android security

Editorial standards