Researchers recently discovered security vulnerabilities in as many as eight percent of benign (or not intentionally built to steal your information or install malware) Android apps. These apps proved to have inadequate safeguards that would otherwise prevent data theft.
With the frequency with which we’re willing to share our phone numbers, home address, credit card numbers with just about any app, we’ve been taking our personally identifiable information for granted. Third-party developers and malicious hackers can gain unprecedented access to our lives. The latest research paper titled, “Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security,” by researchers from the University of Hannover in Germany sheds light on why we should err on the side of caution.
Rather than testing for known malicious apps meant to capture your data for illicit use, researchers tested 13,500 free benign apps from the Google Play store and uncovered 1,074 apps had holes in their Secure Sockets Layer (SSL) security and Transport Layer Security (TLS) protocols. If you’re unfamiliar with SSL, it’s a two-part authentication system for securely transmitting sensitive data over the Internet, like credit card numbers. TLS is SSL’s predecessor and prevents a third-party from snooping in on your private two-way messages for example.
The 1,074 Android apps that were found to have “inadequate use of SSL/TLS” were susceptible to Man-in-the-Middle (MITM) attacks that can easily exploit and retrieve personally identifiable information about the app’s users.
In a manual audit of 100 apps (which the study did not identify by name), bank information, social media accounts, and cloud storage credentials were just a few of the many personal pieces information that researchers were able to gain access to, and 41 of the 100 apps were discovered to have vulnerabilities. Researchers revealed that they “were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.”
Other additional successful hacks included gaining access to a user’s IP cameras, injecting viruses into an anti-virus app to flag normal apps as viruses, and disabling virus detection altogether. Of these 41 vulnerable apps, between 39.5 and 185 million users are at risk of Man-in-the-Middle attacks.
The researchers then assessed the “average” Android user’s awareness and knowledge about secure connections in an Android browser. The majority of the survey’s participants were students, while the remaining participants were employees. After being asked about the difference between HTTPS and HTTP, and how “a user perceives an SSL warning message,” just 58.9 percent of IT expert participants and only 44.3 percent of non-IT expert participants were able to identify a secure or insecure connection.
While developers may be rushing to get their apps out of the door and a security encryption is the last features on their minds, it’s also clear that users are in need of a crash course on safe browsing practices and security.