Android app developers caught napping on SSL security
More than 1,000 legitimate Android apps contain SSL (Secure Sockets Layer) weaknesses, leaving them vulnerable to Man-in-the-Middle (MITM) attacks, researchers have claimed.
SSL security is widely used but poorly understood in the developer community, as indicated by an exclusive TechWeekEurope report from earlier this year, which found many of the UK’s top universities had poorly implemented HTTPS connections.
In their study of 13,500 popular free apps on the Google Play market, researchers from the Leibniz University of Hanover and the Philipps University of Marburg in Germany discovered a variety of SSL flaws in various Android apps. They created their own tool, MalloDroid, to look at the steps apps took when connecting up to the Internet.
They looked at those apps that transmit data over the Internet, discovering 1,074 accepted all certificates or all hostnames for a certificate, not doing the proper trust checks, and were therefore potentially vulnerable to MITM attacks. Cyber crooks could forge their own certificates and use them to trick people running vulnerable apps into unwittingly handing over information.
Looking closer at 41 vulnerable apps, the researchers said they were able to get plenty of valuable data, from Facebook logins, to American Express credentials.
They were even able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable detection completely.
Anywhere between 39.5 and 185 million users are running apps using weak SSL or TLS (Transport Layer Security – the follow up to SSL) implementations, the researchers claimed. Just three of the vulnerable apps were installed on a between 10 and 50 million phones each.
Google did not comment on the findings. Yet the Android creator may not be the one to blame for the weaknesses, as the researchers noted how it is the application developers who choose whether or not to add the correct checks and balances for SSL implementation.
Various checks should take place when implementing SSL, they said, including looking at whether the subject of a certificate match up with the server a client is attempting to connect to. Developers should also look at whether the Certificate Authority (CA) tasked with signing an SSL certificate is trusted, and whether a certificate is still valid in terms of expiry date or if it has been revoked.
Without naming names, the students found one “generic online banking app”, which was trusting all certificates, even the MITM proxy with a self-signed certificate set up by the researchers. It had between 100,000 and 500,000 users.
“The app uses separate classes for each bank containing different trust manager implementations. 24 of the 43 banks supported were not protected from our MITMA. The app also leaks login credentials for American Express, Diners Club and Paypal,” the researchers said.
Another app with similar flaws, offered instant messaging for the Windows Live Messenger service. The app has an install base of 10 to 50 million users.
The researchers also used an attack known as SSL stripping, where hackers exploit the fact that certain apps switch from HTTP to HTTPS via a link or redirect. Attackers intercept the user’s HTTP session so that when a link is clicked it does not go to an HTTPS protected page.
“Two noteworthy examples vulnerable to this attack are a social networking app and an online services client app. Both apps use the webkit view to enhance either the social networking experience or use online services (search, mail, etc.) and have 1.5 to 6 million installs.”
A number of major apps, including Amazon MP3, Chrome, Facebook and Google+, were all guilty of trusting all root CA signatures, leaving them open to nasty or compromised certificate authorities. SSL pinning, whereby a select group of CAs are cherry picked by the developers, can plug this potential security hole.
The findings will do little good for trust in the Android ecosystem, which has been riddled with security problems. In April, Trend Micro reported that 700,000 malicious Android apps had been downloaded from Google Play.
How well do you know Internet security? Try our quiz and find out!