Report: Faulty encryption leaves some Android apps vulnerable

Posted by Shane McGlaun

A team of university security researchers claim 41 Android applications downloaded by as many as 185 million users are plagued by faulty encryption and inadequate SSL protections that leak data between a device and webservers.

If the vulnerability is ultimately exploited - it would allow malicious hackers to steal data related to  online banking, social network credentials, e-mail, instant message content and more. In addition, the faulty SSL protections in one of the affected apps - an antivirus application - can make data vulnerable to theft on Android devices running Ice Cream Sandwich (Android 4.0).

Interestingly, the researchers refrained from specifying specific apps with alleged faulty protection, but did emphasize the programs had been downloaded between 39.5 million and 185 million times based on Google's statistics.

To prove the above-mentioned vulnerabilities, the researchers connected devices during testing to a local area network and used a variety of what they call "well-known" exploits to defeat the Secure Sockets Layer and transportation layer security protocols.

"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers, from Germany's Leibniz University of Hannover and Philipps University of Marburg, wrote. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."

Although there is little evidence to suggest any of the vulnerable apps were coded by Google itself, the researchers did note that engineers at Mountain View could take certain steps to ensure heightened security for apps hosted by Google Play.

"All things said, it's generally good research that should make developers more aware of these basic security deficiencies that shouldn't have made it through any respectable QA process," Jon Oberheide, CTO of mobile firm Duo Security, told ArsTechnica. "Needless to say, security isn't top of mind of most mobile developers."