Researchers find SSL flaws in free Android apps

Researchers have highlighted how badly some Android developers are failing at securing apps, revealing that they were able to steal bank details, email and social-media accounts during a sweep of 13,500 free apps.
Written by Michael Lee, Contributor

A group of researchers has examined 13,500 free Android applications to expose the many applications that fail to adequately secure connections using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic protocol, or that do so in a way that leaves users vulnerable to attack.

The researchers from the Leibniz University of Hanover and the Philipp University of Marburg, Germany, found that of the 13,500 apps analysed, 1,074 contained code that was potentially vulnerable to a man-in-the-middle (MITM) attack. This particular type of attack intercepts regular traffic, then inspects and/or modifies the data before passing it on to its intended destination without either of the original parties knowing.

The analysis of the apps was conducted using an automated tool called MalloDroid, which looks at the validity of SSL certificates and searches for known poor practices. From its analysis, the researchers picked a further 100 apps to audit manually.

Of the 100 apps, the group found that more than being simply potentially vulnerable, 41 of the apps were confirmed to be vulnerable to MITM attacks.

"We were able to capture credentials for American Express, Diners Club, PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote-control servers, arbitrary email accounts, and IBM Sametime, among others," the researchers wrote in their paper (PDF).

Of the 41 apps, one was an antivirus app, which, although it asked for a certificate when downloading virus signatures, would accept any certificate presented to it. Furthermore, on the assumption that the connection is secure, the app makes no attempt to validate the file presented to it.

"We were able to feed our own signature file to the antivirus engine. First, we sent an empty signature database that was accepted, effectively turning off the antivirus protection without informing the user.

"In a second attack, we created a virus signature for the antivirus app itself, and sent it to the phone. This signature was accepted by the app, which then recognised itself as a virus and recommended to delete itself, which it also did."

While these errors highlight the poor coding practices of developers, the researchers also found blame with the Android operating system itself. Unlike the padlock symbol on most modern browsers, there is no visual feedback to indicate whether a secure SSL channel has been established.

"Apps are also not required to signal this themselves, and there is nothing stopping an app from displaying wrong, misguided, or simply no information."

Facebook was one of the few apps providing a reasonable error message. (Screenshot by Michael Lee/ZDNet)

An example of this includes Google's own Play store. Using an invalid SSL certificate (which can be easily tested by changing the system clock) provides no notification to the user that there is a security issue, instead stating that there is no connection.

An exception to this is the default Android browser, which the researchers critiqued as being "exemplary in its SSL use." However, even though it clearly displays meaningful warnings in the event of a potential security issue and provides visual aids as to whether and when an SSL connection is established, researchers found that users still had difficulty in discerning secure and unsecure connections.

The researchers surveyed 754 users, the majority of whom were students with an average age of 24 years. Of the respondents, about 62 percent identified themselves as being non-IT experts. When given the survey without an SSL connection, 47.5 percent of the non-IT experts incorrectly thought that they were secure. However, the figure was not much lower for those who identified themselves as IT experts; 34.7 percent believed that they were safe when they were not.

Of the users who wrongly assumed that they had a secure connection, 47.7 percent thought that it was because their provider was trustworthy; 22.7 percent simply trusted their phone; and 21.6 percent thought that the address URL started with "https://" even though it didn't during the survey.

Editorial standards