Android Security Woes
Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith of University of Hannover Hannover, Germany and Lars Baumgärtner, Bernd Freisleben of University of Marburg Marburg, Germany published a very interesting paper titled – Why Eve and Mallory Love Android: An Analysis of Android SSL (In) Security.
They basically looked at the security threats posed by Android apps that use the SSL/TLS protocols to protect data they transmit. The researcher analysed 13,500 popular free apps from Google’s Play store and found that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to Man-in-the-Middle (MITM) attacks.
Here is the abstract of the research paper:
[et_lb_paper]
Many Android apps have a legitimate need to communicate over the Internet and are then responsible for protecting potentially sensitive data during transit. This paper seeks to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit. Since the lack of visual security indicators for SSL/TLS usage and the inadequate use of SSL/TLS can be exploited to launch Man-in-the-Middle (MITM) attacks, an analysis of 13,500 popular free apps downloaded from Google’s Play Market is presented.
We introduce MalloDroid, a tool to detect potential vulnerability against MITM attacks. Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to suc- cessfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. Furthermore, an online survey was conducted to evaluate users’ perceptions of certificate warnings and HTTPS visual security indicators in Android’s browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not. We conclude by considering the implications of these findings and discuss several countermeasures with which these problems could be alleviated.
[/et_lb_paper]
According to the researchers, they found that over 50% of participants they survey online did not know whether their browser session was protected by SSL/TLS.
Here is what the paper had to say:
[et_lb_paper]
Furthermore, an online survey was conducted to evaluate users’ perceptions of certificate warnings and HTTPS visual security indicators in Android’s browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not
[/et_lb_paper]