Researchers with a German University found that millions of Android app users are vulnerable to password and email theft. Literally tens of millions of the most popular Android apps are at risk of private data leak because of a faulty security protocol.
A research paper released by German researchers found that as many as 185 million users of Android Play’s most popular apps are at risk of losing some of their most sensitive data. The paper doesn’t reveal which are the Android apps that are making users vulnerable to password theft, but they did mention they were downloaded 39.5 million to 185 million times.
Experts from Leibniz University in Hanover and Philipps University in Hamburg created their very own tool, MalloDroid, that was used to find all exploitable SSL bugs. Out of the 13,500 popular Google Play free apps analyzed, 1,074 were vulnerable to MITM attacks. Users become vulnerable when apps send data over the Internet and are not using the proper security protocols.
“We could gather bank account information, payment credentials for PayPal, American Express and others” reads the German paper. “Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted” the experts add.
On the overall, 8 percent of the 13,500 Android apps analyzed contained “SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks”.
Jeremiah Grossman, CTO and founder of WhiteHat Security, told PC Advisor the faulty SSL protocol in Android apps is not a surprise. “The implementation problems with SSL was, or is, true with a good number of websites as well. As the mobile landscape is immature, one might expect this to be the case”.
According to Chester Wisniewski, Sophos senior security adviser, the password and email vulnerability is due to the application developer’s lack of knowledge in the proper implementation of SSL protocols.
“One of the problems with SSL is it’s very fragile” Wisniewski told PC Advisor. “If you break any one piece of how it works because it’s inconvenient, and disable or turn it off, then the whole thing is useless” he added.