Severe vulnerabilities have been found in as many as 41 applications in Google’s Play store. These Android applications downloaded by as many as 185 million users can leak sensitive data as it travels between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services because the programs use inadequate encryption protections, computer scientists have found.
The researchers were able to defeat the secure sockets layer and transport layer security protocols implemented by the apps and extract bank account information, PayPal, American Express credentials, Facebook, email and cloud storage data, gain access to IP cameras. They did not publish any identification of programs in their research papers.
The researchers from Germany’s Leibnitz University of Hannover and Philipps University of Marburg began their research by downloading 13,500 free apps from Google Play and subjecting them to a "static analysis”, which identified 1,074potentially vulnerable to Man in the Middle attacks. From the list of the potentially vulnerable apps, the researchers picked 100 of them to subject to a manual audit to test whether the SSL implemented in the devices could be defeated.
The following vulnerabilities were found in the various apps, as stated by the researchers:
• An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.
• An app with an install base of 1 million to 5 million users that was billed as a "simple and secure" way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a "broken SSL channel."
• A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.
• A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.
Also published in the research papers were various ways to improve SSL on the Android platform. The researchers recommended Google engineers to develop for Android to check if the connection provided by various apps is encrypted. Reports suggest, Google may equip Android phones with proprietary malware scanner soon.