Internet - Discovering the Internet
64 views | +0 today
Your new post is loading...
Your new post is loading...
Rescooped by Samuel Frank Campbell from Mobile Application Solutions!

Over 1,000 Android Apps Contain SSL Security Flaws

Over 1,000 Android Apps Contain SSL Security Flaws | Internet - Discovering the Internet |

More than 1,000 legitimate Android apps contain SSL (Secure Sockets Layer) weaknesses, leaving them vulnerable to Man-in-the-Middle (MITM) attacks, researchers have claimed.

SSL security is widely used but poorly understood in the developer community, as indicated by an exclusive TechWeekEurope report from earlier this year, which found many of the UK’s top universities had poorly implemented HTTPS connections.

In their study of 13,500 popular free apps on the Google Play market, researchers from the Leibniz University of Hanover and the Philipps University of Marburg in Germany discovered a variety of SSL flaws in various Android apps. They created their own tool, MalloDroid, to look at the steps apps took when connecting up to the Internet.

Android apps flaws

They looked at those apps that transmit data over the Internet, discovering 1,074 accepted all certificates or all hostnames for a certificate, not doing the proper trust checks, and were therefore potentially vulnerable to MITM attacks. Cyber crooks could forge their own certificates and use them to trick people running vulnerable apps into unwittingly handing over information.

Looking closer at 41 vulnerable apps, the researchers said they were able to get plenty of valuable data, from Facebook logins, to American Express credentials.

They were even able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable detection completely.

Anywhere between 39.5 and 185 million users are running apps using weak SSL or TLS (Transport Layer Security – the follow up to SSL) implementations, the researchers claimed. Just three of the vulnerable apps were installed on a between 10 and 50 million phones each.

Google did not comment on the findings. Yet the Android creator may not be the one to blame for the weaknesses, as the researchers noted how it is the application developers who choose whether or not to add the correct checks and balances for SSL implementation.

Various checks should take place when implementing SSL, they said, including looking at whether the subject of a certificate match up with the server a client is attempting to connect to. Developers should also look at whether the Certificate Authority (CA) tasked with signing an SSL certificate is trusted, and whether a certificate is still valid in terms of expiry date or if it has been revoked.

Without naming names, the students found one “generic online banking app”, which was trusting all certificates, even the MITM proxy with a self-signed certificate set up by the researchers. It had between 100,000 and 500,000 users.

“The app uses separate classes for each bank containing different trust manager implementations. 24 of the 43 banks supported were not protected from our MITMA. The app also leaks login credentials for American Express, Diners Club and Paypal,” the researchers said.

Another app with similar flaws, offered instant messaging for the Windows Live Messenger service. The app has an install base of 10 to 50 million users.

The researchers also used an attack known as SSL stripping, where hackers exploit the fact that certain apps switch from HTTP to HTTPS via a link or redirect. Attackers intercept the user’s HTTP session so that when a link is clicked it does not go to an HTTPS protected page.

“Two noteworthy examples vulnerable to this attack are a social networking app and an online services client app. Both apps use the webkit view to enhance either the social networking experience or use online services (search, mail, etc.) and have 1.5 to 6 million installs.”

A number of major apps, including Amazon MP3, Chrome, Facebook and Google+, were all guilty of trusting all root CA signatures, leaving them open to nasty or compromised certificate authorities. SSL pinning, whereby a select group of CAs are cherry picked by the developers, can plug this potential security hole.

The findings will do little good for trust in the Android ecosystem, which has been riddled with security problems. In April, Trend Micro reported that 700,000 malicious Android apps had been downloaded from Google Play.



Via Igniva Solutions
No comment yet.
Rescooped by Samuel Frank Campbell from!

Discovering the Power of the Internet and Online Search Sites

Discovering the Power of the Internet and Online Search Sites | Internet - Discovering the Internet |
The Internet has tremendously improved the way we live our lives.  With its power, we now have access to information in a single click.  Gone are the days of scouring over pages...

Via AlyssaOverton
AlyssaOverton's curator insight, June 21, 2013 3:00 AM

It is no wonder that almost every single business uses the Internet to make their contact details visible. The web has become the new battlefield for consumer domination.  If you’re not visible on the web, you will run the risk of fading into oblivion.


Scooped by Samuel Frank Campbell!

8tracks internet radio | Free music playlists | Best app for music

8tracks internet radio | Free music playlists | Best app for music | Internet - Discovering the Internet |
Welcome to 8tracks, the best place for music discovery on the internet. Create your own playlist to share with the world, or listen for free to perfect music for any taste, time and place.
No comment yet.
Rescooped by Samuel Frank Campbell from kaigarlick!

Discovering deals over the internet

Discovering deals over the internet | Internet - Discovering the Internet |

Via kaigarlick
kaigarlick's curator insight, March 4, 2013 6:27 PM
Where can I find GreatClips printable discount coupon?
Scooped by Samuel Frank Campbell!

What supercool connections have you made through the Internet? |

What supercool connections have you made through the Internet? | | Internet - Discovering the Internet |
Discovering austin (What supercool connections have you made through the Internet? — Discovering austin
No comment yet.