Researchers recently discovered security vulnerabilities in as many as eight percent of benign (or not intentionally built to steal your information or install malware) Android apps. These apps proved to have inadequate safeguards that would otherwise prevent data theft.
With the frequency with which we’re willing to share our phone numbers, home address, credit card numbers with just about any app, we’ve been taking our personally identifiable information for granted. Third-party developers and malicious hackers can gain unprecedented access to our lives. The latest research paper titled, “Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security,” by researchers from the University of Hannover in Germany sheds light on why we should err on the side of caution.
Rather than testing for known malicious apps meant to capture your data for illicit use, researchers tested 13,500 free benign apps from the Google Play store and uncovered 1,074 apps had holes in their Secure Sockets Layer (SSL) security and Transport Layer Security (TLS) protocols. If you’re unfamiliar with SSL, it’s a two-part authentication system for securely transmitting sensitive data over the Internet, like credit card numbers. TLS is SSL’s predecessor and prevents a third-party from snooping in on your private two-way messages for example.
The 1,074 Android apps that were found to have “inadequate use of SSL/TLS” were susceptible to Man-in-the-Middle (MITM) attacks that can easily exploit and retrieve personally identifiable information about the app’s users.
In a manual audit of 100 apps (which the study did not identify by name), bank information, social media accounts, and cloud storage credentials were just a few of the many personal pieces information that researchers were able to gain access to, and 41 of the 100 apps were discovered to have vulnerabilities. Researchers revealed that they “were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.”
Other additional successful hacks included gaining access to a user’s IP cameras, injecting viruses into an anti-virus app to flag normal apps as viruses, and disabling virus detection altogether. Of these 41 vulnerable apps, between 39.5 and 185 million users are at risk of Man-in-the-Middle attacks.
The researchers then assessed the “average” Android user’s awareness and knowledge about secure connections in an Android browser. The majority of the survey’s participants were students, while the remaining participants were employees. After being asked about the difference between HTTPS and HTTP, and how “a user perceives an SSL warning message,” just 58.9 percent of IT expert participants and only 44.3 percent of non-IT expert participants were able to identify a secure or insecure connection.
While developers may be rushing to get their apps out of the door and a security encryption is the last features on their minds, it’s also clear that users are in need of a crash course on safe browsing practices and security.
Umm duh, this is why the Apple store is so much better. Apple requires app developers to put these safeguards in place. The Google Play store is a joke, so many crappy apps on there.
Its open source, People can make Virtually Anything, That includes viruses. Google Requires Developers to Say what the app can acsess And people need to watch what there apps can do, Its not Google’s Fault, Its the users fault for not being careful.
And Apples iPhones can get viruses Too, I remember a story about a little app that could send Messages ans delete stuff on the phone, Or something like that.
See that mentality is stupid no offense.”It’s not Google’s Fault, Its the users fault for not being careful”.
What you are telling me is that every user has to be tech savvy enough to have the foresight to recognize bad apps. Is that right?
I do think it is the responsibility of the user, however, with Apple they have mostly taken that issue away. That’s why I always suggest for less tech savvy people to grab an iOS device instead of Android.
If you’re going to have the technology, you should at least take care of it. And if you don’t have the time to do that, then you should go with the one that is most fool proof
This article isn’t about intentionally malicious apps.
This article is about how a third party which is unrelated to the developer can access private information due to these security holes. Without proper security in said app, each and everything you do on your phone is in essence an open book to the criminal world.
The authors were able to access credit card information! Does that mean nothing to you? Cause it means a lot to me.
Be more careful With what you install on Your device.
I am not careful at all with mine, But I try to only install apps that people use, So I know it is real.
Also read a lot of the comments on the app before installing it.
I think you missed the point of the article.
Apps which are used by other people, which themselves are not malicious, due to security flaws are vulnerable to outside interception of data. You would never know that the app is vulnerable until it’s too late. Unless you were doing the hacking, you wouldn’t know the source either.
Oh, Well. Then they need to be careful with their apps still. So they don’t install anything that can exploit Vulns.
What would you suggest checking when being careful? Asking a hacker to hack the app to see if it has any vulnerability?
This is a flaw in the open source model. To be truly open, it can’t place restrictions. But without putting in restrictions, the potential for vulnerabilities exists. The more popular the OS the more apps will be programmed for it, some of which could be exploited. Also as the OS grows in popularity the potential damage a malicious intentioned individual can do increases as well, as does their incentive.