Widespread SSL Vulnerabilities Identified in Android Applications

Anthony Freed
By | October 22, 2012

Posted in: Network Security Trends

That application you just downloaded uses an encrypted connection, so your sensitive data is protected, right? Not necessarily, according to researchers from two German universities who discovered that thousands of applications are leaving users at risk. The problem resides is in how the application developers improperly implement the Secure Sockets Layer (SSL) protocols in the Android API, leaving users vulnerable on multiple fronts.

The research team, made up of experts from Leibniz University and Philipps University, analyzed over 13,000 applications currently available in the Google Play store and discovered that as many as 17% were vulnerable to data loss by way of man-in-the-middle MITM attacks.

MITM attacks can manifest in a variety of forms, but the basic gist is that an attacker inserts themselves between the target and any host they attempt to established a connection with, essentially allowing the attacker to eavesdrop on the communications and intercept sensitive data.

"We were able to capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime,” the researchers reported in a paper titled Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security.

The flaw emanates from how the applications fail to verify digital certificates, which are used to validate legitimate websites and software to protect users from inadvertently exposing themselves to malware, phishing scams, and spoofed landing webpages.

The vulnerable applications analyzed in the study found "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."

In addition, the researchers discovered they were able to tamper with antivirus functionalities to cause some applications to be flagged as malware and removed, and were able to disable malware detection entirely on a device. “We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely," the report states.

Complicating matters, the researchers found that many of the vulnerable applications did not clearly inform users when they were or were not engaged in an encrypted session, with just over half of users in the study failing to properly judge the security of a web connection in which sensitive data my be being exchanged.

Based on the data collected in the study, the researchers have developed a tool called MalloDroid which will scan applications for exploitable vulnerabilities in SSL implementations and warn users if they are at risk. The tool will be made available as part of the Androguard security scanner suite.

You May Also Be Interested In: