Security researchers have published a new report that should give Android users cause for concern. They found that many popular free Android apps are vulnerable to “man in the middle” (MITM) attacks and could expose sensitive personal information to hackers.
PCMag’s Chloe Albanesius reported, “Researchers from Philipps University and Leibniz University in Germany examined 13,500 free apps from Google Play and found that about 8 percent contained encryption technology that was vulnerable to ‘Man in the Middle’ (MITM) attacks – where the scammer intercepts data as it travels between the user and its intended target. The researchers picked out 100 apps for manual audit and were able to successfully carry out MITM attacks against 41 of them, despite them being protected by encryption technologies like SSL/TLS.”
Rebecca Greenfield from The Atlantic Wire noted, “While SSL and TLS are effective safety measures on their own, it turns out both app makers and websites aren’t implementing them properly. This research found that these apps would accept fraudulent certificates, making them ‘potentially vulnerable to MITM attacks,’ write the researchers.”
In their report, the researchers wrote, “We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts. We have successfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself. It was possible to remotely inject and execute code in an app created by a vulnerable app-building framework. The cumulative number of installs of apps with confirmed vulnerabilities against MITM attacks is between 39.5 and 185 million users, according to Google’s Play Market.”
According to BBC News, “a follow-up survey of 754 people suggests users could struggle to spot when they were at risk. ‘About half of the participants could not judge the security state of a browser session correctly,’ the researchers wrote.”