8% of apps on Google Play potentially endanger user safety
German scientists (yes, this time their British colleagues have nothing to do with it!) Have just published the results of a recent study of the security of Android applications hosted on Google Play. A short story on Mashable about a study with little speaking video presentation and a noisy headline Study Reveals Android Apps Leak Personal Data made me turn to the original source .
Briefly, it turned out the following (hereinafter - the translation of the report summary):
1,074 applications out of 13,500 investigated use SSL for sending personal data (logins, passwords, payment details, etc.), but they either accept any certificates without verification, or any host names for certificates, and therefore can be vulnerable to attacks like man-in-the-middle (MITM).
41 out of 100 applications selected for more detailed manual testing turned out to be really vulnerable to such attacks due to incorrect work with SSL.
The total number of users who have these applications installed on smartphones for which vulnerabilities have been confirmed by testing are from 39.5 to 185 million people according to the Google Play Market. Among these applications, there are three, each of which has 10 to 50 million users. This variation is due to the fact that the Google Play Market does not show the exact number of users of the application, but reports only the range in which it falls. The actual number of users is likely to be greater, since in addition to the official repository, there are also unofficial ones.
From the data transmitted by this 41 application, the researchers managed to obtain payment data related to American Express, Diners Club, Paypal, various bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, WordPress, remotely managed servers, passwords for email services and IBM Sametime, etc.
In addition, the researchers managed to inject their own virus signatures into the anti-virus software so that it considered arbitrary software as a virus or stopped detecting viruses at all (the point was that the anti-virus accepted the anti-virus database update via a broken connection via SSL, which he mistakenly considered reliable and did not check the integrity of the received update; the antivirus also accepted updates that completely erased the signature database).
It also turned out to remotely implement and run the code in an application created using the framework for creating applications in which they also found the specified vulnerability.
Worse, 378 (50.1%) of the 754 Android users surveyed online could not recognize whether the data was transmitted by the browser using SSL or not. 419 (55.6%) of 754 did not see any warnings about an incorrect certificate and usually rated the risk they were warned about as medium or low. Among the users there were also specialists in the field of IT (38.1% of the respondents considered themselves to be experts in IT, and 23.2% in the past dealt with compromised accounts or other authentication data.
Morale for the developer : watch out!
Moral for the user: Do not use open wi-fi without a password where this can be avoided. If you haven’t escaped, use only very, very reliable and proven applications (perhaps for me this means only Gmail from Google).
Full report (Eng.)
Another story, but about Trojan! FakeLookout.A for Android, which infected the application in the Google Play Market (Eng.)
Translation of the story about Trojan! FakeLookout.A with my small author’s comments .
Briefly, it turned out the following (hereinafter - the translation of the report summary):
results
1,074 applications out of 13,500 investigated use SSL for sending personal data (logins, passwords, payment details, etc.), but they either accept any certificates without verification, or any host names for certificates, and therefore can be vulnerable to attacks like man-in-the-middle (MITM).
41 out of 100 applications selected for more detailed manual testing turned out to be really vulnerable to such attacks due to incorrect work with SSL.
The total number of users who have these applications installed on smartphones for which vulnerabilities have been confirmed by testing are from 39.5 to 185 million people according to the Google Play Market. Among these applications, there are three, each of which has 10 to 50 million users. This variation is due to the fact that the Google Play Market does not show the exact number of users of the application, but reports only the range in which it falls. The actual number of users is likely to be greater, since in addition to the official repository, there are also unofficial ones.
From the data transmitted by this 41 application, the researchers managed to obtain payment data related to American Express, Diners Club, Paypal, various bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, WordPress, remotely managed servers, passwords for email services and IBM Sametime, etc.
In addition, the researchers managed to inject their own virus signatures into the anti-virus software so that it considered arbitrary software as a virus or stopped detecting viruses at all (the point was that the anti-virus accepted the anti-virus database update via a broken connection via SSL, which he mistakenly considered reliable and did not check the integrity of the received update; the antivirus also accepted updates that completely erased the signature database).
It also turned out to remotely implement and run the code in an application created using the framework for creating applications in which they also found the specified vulnerability.
Worse, 378 (50.1%) of the 754 Android users surveyed online could not recognize whether the data was transmitted by the browser using SSL or not. 419 (55.6%) of 754 did not see any warnings about an incorrect certificate and usually rated the risk they were warned about as medium or low. Among the users there were also specialists in the field of IT (38.1% of the respondents considered themselves to be experts in IT, and 23.2% in the past dealt with compromised accounts or other authentication data.
Morale for the developer : watch out!
Moral for the user: Do not use open wi-fi without a password where this can be avoided. If you haven’t escaped, use only very, very reliable and proven applications (perhaps for me this means only Gmail from Google).
For additional reading
Full report (Eng.)
Another story, but about Trojan! FakeLookout.A for Android, which infected the application in the Google Play Market (Eng.)
Translation of the story about Trojan! FakeLookout.A with my small author’s comments .