Android applications are once again in the hot seat over possible security vulnerabilities.
Security researchers at the Leibniz University of Hanover in Germany recently released a study (PDF) examining the way in which legitimate Android applications in the Google Play marketplace respond to attacks on security protocols known as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). In 8 per cent of those cases, the researchers found that apps used the security protocols improperly, leaving sensitive data open to hackers with some know-how.
The security team, however, didn't suggest that anyone has deliberately exploited these vulnerabilities yet.
SSL and TLS are popular security protocols employed across the web and in Android apps. The protocols encrypt network-connection segments to allow for supposedly safe data transmission of sensitive information. However, the researchers argue that some Android applications that connect to the web and need to transfer data, such as passwords and account information, aren't using the SSL and TLS protocols properly.
"We introduce MalloDroid, a tool to detect potential vulnerability against man-in-the-middle (MITM) attacks," the researchers wrote. "Our analysis revealed that 1074 (8 per cent) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data."
MITM attacks occur when a third party — a hacker, thief, spy, etc — inserts itself into a connection between two devices, while maintaining the illusion that they are only communicating with each other. All the while, the hacker is capturing the data.
The team found that over 1000 applications are willing to communicate over SSL with anything that sends out a certificate to communicate. That, the researchers said, allows for MITM attacks, since the third-party hacker can quickly connect with an app.
To further determine the extent to which the vulnerabilities could affect users, the researchers chose 100 apps to analyse. Of those, 41 were confirmed to contain vulnerabilities. When exploiting those vulnerabilities, the researchers found that they were able to access credentials for everything from credit cards to social-media accounts.
Making matters worse, the researchers found that of those 41 apps, the cumulative install base of the apps is somewhere between 39.5 million and 185 million users, as determined by the range of application downloads provided by the Google Play store. Three of the applications had user-install bases of 10 to 50 million.
What can be done to address the problems? Improved permissions and policies built in to the operating system might help; so would policies that prevent developers from using their own methods for handling SSL or TLS. The researchers said that Google should also consider checking apps for vulnerable SSL/TLS code before allowing them into its marketplace.
CNET has contacted Google for comment on the findings.