It's Not You, Android - It's Your Apps
Android app buyer, beware -- Google Play has no system in place for vetting apps to make sure they're secure, and a whole bunch of them evidently are not. The problem springs from carelessness or ineptness on the part of app creators with respect to SSL implementation. The result is that millions of Android users are at risk -- and there's no easy way to tell if you're one of them.
10/23/12 2:06 PM PT
A substantial number of apps available from Google Play had serious flaws in their Secure Sockets Layer implementations and thus were vulnerable to hack attacks, found researchers at the Leibniz University of Hannover and Philipps University of Marburg.
The team downloaded 13,500 popular free apps to study their use of the SSL or Transport Layer Security protocols, with a particular focus on the apps' vulnerabilities against Man-in-the-Middle (MITM) attacks due to the inadequate or incorrect use of SSL.
The findings were grim.
There were 1,074 apps containing SSL-specific code that were potentially vulnerable to MITM attacks. In addition, 41 of the 100 apps selected for manual audit were vulnerable to MITM attacks due to various forms of SSL misuse. From those 41 apps, the researchers were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime.
The cumulative install base of the apps that were vulnerable to MITM attacks was between 39.5 and 185 million users.
Google declined to comment for this story.
The problem in this case isn't Android itself, but poorly written applications for it.
However, this is not a problem unique to Android, Chet Wisniewski, senior security advisor at SophosLabs, told LinuxInsider. There are likely similar problems with applications for iOS, BlackBerry and other smartphone platforms as well.
"For SSL/TLS to work properly, every component must be used the way it is designed," he said. "The flaws pointed out in this research result from application developers turning off or ignoring one part of the TLS specification. It turns out this is quite easy to do as an Android developer, and Google does not have a human review process for every application like Apple does for its App Store."
There was a similar mishandling of information with Apple apps earlier this year.
"Whether it is done intentionally or accidentally," Wisniewski noted, "it is the responsibility of the app developer in the end."
Android as a platform is viewed as an inherently less secure than iOS because it is an open platform, but there are other issues as well -- some of which are intensified by the weak SSL issue.
For starters, Android app stores have little to no oversight, Lamar Bailey, director of security operations for nCircle, pointed out.
"Absolutely anyone can write an app and put it in an Android app store," he told LinuxInsider. "A lot of these apps are written by people with no security knowledge in their spare time."
The recent SSL and TLS bugs illustrate this issue, Bailey continued. "The developers did a poor job implementing a tried-and-true secure communications method -- they probably reused bad code they picked up somewhere on the Internet."
Nearly all Android devices provide the user with the option to install applications from "untrusted" sources, noted Dirk Sugurdson, director of engineering at Rapid7 Mobilisafe.
"By default, Android devices will restrict the installation of mobile applications that aren't published on the Google Market," he told LinuxInsider, "but by simply checking a box in the device settings, the user is able to override this default. Once this box is unchecked, it opens up the possibility of emails, SMS, and websites to be a delivery mechanism for unsafe apps."
Apple, on the other hand, provides no such capability, Sugurdson pointed out. It allows users to install applications only from the iTunes App Store.
No Objective 3rd Party
Another issue for Android users is that there is no reliable way to assess the security of the app, nCircle's Bailey said.
"What we really need is an objective third party that rates the security of popular apps after a code review and security testing," he suggested. "This would provide valuable information for Android app shoppers and help change the mindset of application developers."
For now, Bailey said, Android users should assume that any app they download could be flawed.