Site icon IT World Canada

Another warning about Android apps

Matrix Style Password Graphic

Image from Shutterstock.com

A security vendor has raked the Google Play store and the Android ecosystem over the coals for allowing apps that have SSL vulnerabilities  susceptible to man in the middle attacks to be made available to the public.

The “attacks they enable are wreaking havoc on data security,” researchers at FireEye Inc. said in a blog posting on Thursday.

“The FireEye Mobile Security Team analyzed Google Play’s 1,000 free most downloaded Android applications and found that a significant portion of them are susceptible to MITM attacks. These popular apps allow an attacker to intercept data exchanged between the Android device and a remote server. We notified the developers, who acknowledged the reported vulnerabilities and addressed them in subsequent versions of their applications.”

As an open ecosystem, Android apps have long been criticized by security pros as being among the riskiest mobile applications unless they are from reputable publishers. Google scans the Play store for vulnerabilities, but the FireEye analysis suggests it still isn’t doing a good enough job,

Incorrect use of the Android platform’s SSL libraries can expose applications to MITM attacks, write the researchers, where traffic from the application to a server or vice versa can be intercepted, exported, modified or redirected.

Of the 1,000 apps studied, 674 had at least one of these three vulnerabilities:

Of the 614 applications that use SSL/TLS to communicate with a remote server, 448 (~73 per cent) do not check certificates;

About 50 apps (eight per cent) had this problem;

Of the 285 apps that use Webkit, 219 (~77%) ignore SSL errors generated in Webkit.

Among the problems are apps where the developer’s own code is fine but third-party libraries used have vulnerabilities.  These can include the Flurry ad library prior to version 3.4, and the Chartboots ad library prior to version 2.0.1.

Apps the researchers found that are inherently vulnerable include Camera360 Ultimate, which fixed the issues on July 29.

Exit mobile version