Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions

SSL FLAWS LEAVE ANDROID APPS VULNERABLE

Created: 15 Nov 2012 • Updated: 18 Dec 2012 • 5 comments • Translations available: Français, Deutsch
Brian Wall's picture
+1 1 Vote
Login to vote

Apps it seems are everywhere now, and they continue to spread like wildfire. It’s a ‘technology on the go’ world we inhabit, where we are using apps for everything from social media, banking, gaming, making payments and a host of other things, at any time or day of the week. The convenience afforded by smart phones and other mobile devices have fast become the platform for serious business and consumer alike.

Global mobile app store downloads are forecast to surpass 45.6 billion in 2012, with free downloads accounting for 40.1 billion (89%) and paid-for downloads totalling 5 billion, according to research analysts Gartner.

So it’s alarming to hear that some Android developers are failing abysmally when it comes to securing their apps. The problem has become so bad that one group of researchers – acting as ‘undercover cops’ – claimed recently they were able to steal bank details, email and social media accounts during a sweep that they made of 13,500 free apps. Not good news for all you app users out there and anyone seeking to keep their systems secure.

How worried should you be by their findings? Very, is the answer.  The researchers – from the Leibniz University of Hannover and the Philipp University of Marburg, Germany – found that, of the 13,500 apps analysed, 1,074 contained code that was potentially vulnerable to a man-in-the-middle (MITM) attack. This is an attack that intercepts regular traffic, then inspects and/or modifies the data before passing it on to its intended destination, without either of the original parties being aware.

What will concern you even more is the level of credentials they were able to capture – many from sites most of us will being using on a daily basis, such as bank accounts, Facebook, Twitter, Google, Yahoo, American Express, Diners Club, PayPal, Microsoft Live ID, Box (simplifies online file storage), remote control servers, arbitrary email accounts and IBM Sametime, amongst others.

Of the 41 apps, one was an antivirus app, which, although it asked for a certificate when downloading virus signatures, would accept any certificate presented to it. Also, on the assumption that the connection was secure, the app made no attempt to validate the file presented to it. 

The researchers were able to feed their own signature file to the antivirus engine. First, they sent an empty signature database that was accepted, effectively turning off the antivirus protection without informing the user. In a second attack, a virus signature was created for the antivirus app itself and sent to the phone. This signature was accepted by the app, which then recognised itself as a virus and recommended to delete itself, which it promptly did.

What these errors clearly highlight is the poor coding practices of some app developers. But it doesn’t stop there. Just as concerning, you might feel, are the inherent failures within the Android operating system itself. What the researchers also discovered is that, unlike the padlock symbol on most modern browsers, there is no visual feedback to indicate whether a secure SSL channel has been established within an application.

"Apps are also not required to signal this themselves and there is nothing stopping an app from displaying wrong, misguided or simply no information," state the researchers. An example of this, you might want to be aware, includes Google's own Play store. Using an invalid SSL certificate (which can be easily tested by changing the system clock) provided no notification to the user that there was a security issue, instead stating that there was no connection.

The researchers surveyed 754 users, with an average age of 24 years, 62% of who identified themselves as being non-IT experts. When given the survey without an SSL connection, 47.5% of the non-IT experts incorrectly thought that they were secure. However, the figure was not much lower for those who identified themselves as IT experts: 34.7% believed they were safe when they were not.

You will be relieved to hear that a notable exception to all of this bad news is the default Android browser itself, which the researchers hailed as being "exemplary in its SSL use”. However, even though it clearly displays meaningful warnings in the event of a potential security issue, and provides visual aids as to whether and when an SSL connection is established, users still had difficulty in discerning secure and unsecure connections.

Of those who wrongly assumed they had a secure connection, 47.7% thought that it was because their provider was trustworthy; 22.7% simply trusted their phone; and 21.6% thought the address URL started with ‘https://’, even though it didn't during the survey.

All a bit unfortunate, you might think; that the survey happened to home in on the worst aspects of apps, putting them in a worse light than they deserve. Maybe not. Another survey, by ViaForensics, examined apps for Google’s Android system and Apple’s iOS, and found that 76% of these actually store usernames with no encryption and 10% do not encrypt passwords

The message is all too clear: if you play with apps, you may well be playing with fire. What, then, are the lessons to be learned from this and how can things be improved? If companies are really intent on eradicating security breaches in applications – both mobile and non-mobile – they will have to start thinking about ways to make good security effortless and intuitive for both developers and customers.

The designers of applications need to make it much easier to implement SSL and TLS correctly, and far more difficult to fall wide of that mark. Development teams have to make SSL/TLS certificate validation a requirement and QA teams need to test for it. Only that way will the apps you choose to use be worth the name.

For more information on how to keep your apps safe, visit this blog post: http://www.symantec.com/connect/blogs/ssl-apps

Comments 5 CommentsJump to latest comment

DeenaThomchick's picture

Hi. I'm Deena and I'm a Symantec employee who works on this and similar issues. You can also visit http://go.symantec.com/trustontheinternet and click on the SSL for Apps tab for more information on this topic.

0
Login to vote
BozosDadd's picture

Deena:

 

You're getting a ton of spam on this.  Is there any way I can avoid so many emails, when 2/3 of what is posted in this board is spam?

 

Maybe you could turn on Captcha for posting.

 

-- Mark

0
Login to vote
lorainebell's picture

I heard of it. The users are vulnerable to accessed logins and banking information, as well as manipulation of app commands and etc..

 

The researchers wrote that the most important thing about their findings is that “research is needed to study which counter-measures offer the right combination of usability for developers and users, security benefits and economic incentives to be deployed on a large scale.”

0
Login to vote
rjowais's picture

You will be relieved to hear that a notable exception to all of this bad news is the default Android apps browser itself, which the researchers hailed as being "exemplary in its SSL use”.

0
Login to vote
joshlee's picture

Most of us have our smartphones/mobile phones  with us virtually constantly. There are thousands of apps that do thousands of various things accessible at the push of a button. And some of them can even get you a little extra pocket change. You just have to take a careful step of choosing which one is worth your trust. And who could not use more of that in this economy? Resource for this article: army pay day loans

0
Login to vote