SSL Apps Vulnerable to Attack

padlockicon.pngResearchers from two German Universities have examined 13,500 popular free apps downloaded from Google’s Play Market and have found that 1,074 (8.0%) have sensitive information such as log-in credentials and personal information/files that are vulnerable to attack.

Apps such as those from American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime have been singled out as being vulnerable.

The paper (pdf) explains how poor coding, when using the SSL protocol, has allowed apps to become susceptible to Man-in-the-Middle (MITM) attacks.

MITM is where, for example, a rogue WiFi access point seems to provide access to a remote secure server but instead, reads the data before passing it on to the legitimate server. The paper explains various ways how apps have allowed connection to secure servers without properly checking their authenticity.

This is yet another example of security vulnerabilities brought on by poor coding. However, in many cases it’s not just the developers’ fault. Only last week I was in a workshop where I commented how mobile apps seem to bypass traditional company processes. Software processes, procedures and safeguards seem to get forgotten when it comes to mobile. This, together with the relative lack of experience of many new mobile developers is lowering not just the security but also the quality of apps.

For example, who would believe that large financial organisations would release consumer apps without a deep security code review? It’s happening.

 A few more things…
  • This isn’t just an Android issue. It’s how SSL is being used that is at fault and I expect this is as much an issue on other platforms.
  • Validating SSL certificates has always been tricky on mobile due to the variation of root certificates installed on different devices. Instead of ignoring non-validation, apps should warn the user in the cases where a connection is potentially insecure.
  • This has absolutely nothing to do with Android in-built browser which researchers found is exemplary in its use of SSL.