Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions

Faulty Encryption Could Leave Some Android Apps Vulnerable

Created: 15 Jan 2013 • Updated: 16 Jan 2013 • Translations available: Français, Deutsch, Español
Brian Wall's picture
+1 1 Vote
Login to vote

A team of university security researchers claims that 41 Android applications downloaded by as many as 185 million users are plagued by faulty encryption and inadequate SSL protection that leak data between a device and webservers.

If the vulnerability was ultimately exploited, it would allow malicious hackers to steal data related to online banking, social network credentials, email, instant message content and more. In addition, the faulty SSL protections in one of the affected apps - an antivirus application - can make data vulnerable to theft on Android devices running Ice Cream Sandwich (Android 4.0).

Interestingly, the researchers refrained from specifying particular apps with alleged faulty protection, but did emphasise the programs had been downloaded between 39.5 million and 185 million times, based on Google's statistics.

To prove the above-mentioned vulnerabilities, the researchers connected devices during testing to a local area network and used a variety of what they call "well-known" exploits to defeat the Secure Sockets Layer and transportation layer security protocols.

"We could gather bank accounts, payment credentials," the researchers, from Germany's Leibniz University of Hannover and Philipps University of Marburg, wrote. " credentials and messages were leaked, access to cameras was gained and control channels for apps and remote servers could be subverted."

Although there is little evidence to suggest any of the vulnerable apps were coded by Google itself, the researchers did note that engineers at Mountain View could take certain steps to ensure heightened security for apps hosted by Google Play.

We know that Google has a great track record on security – they already employ site-wide SSL across most of their web properties. As Google itself points out: “We take both topics very seriously and truly believe that our offerings are a great option for customers on both fronts. Our business is built on our users' trust: trust in our ability to properly secure their data and our commitment to respect the privacy of the information they place in our systems by not giving that information to others or using it inappropriately.” For tips on mobile security download Symantec Website Security Solution’s free mobile security whitepaper.