Researchers Find Android Apps Leaking Personal Data

WHY WOULD ANYONE USE A FREE BANKING APPLICATION ON THEIR PHONE? Is it more convenient? Using your phone with FREE applications is absolutely discouraged, especially something like a banking application. These industry specific applications are a natural target and the benefit of using such an “app” does not outweigh the risk.  Simply put, do not use your phone to login to your bank!

Information such as bank account details or other important personal financial data could be leaking from insecure Android apps, according to researchers from Germany’s Leibniz University of Hannover and Philipps University of Marburg.

The teams identified 41 insecure apps from Google's Play Market that have been downloaded up to 185 million times. The scientists said they could gather bank account information, as well as PayPal American Express and other payment credentials.

Ars Technica explains in detail that the findings underscore the fragility of the SSL and TLS protocols which are the foundation of almost all encryption between websites and end users. The problem appears not to be the protocols, but the way they are sometimes implemented.

The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a “static analysis.” Those tests checked whether the SSL implementations of the apps were potentially vulnerable to “man-in-the-middle” exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained “SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks….”

The paper lists a variety of ways SSL protection can be improved on the Android platform. One is for the type of static analysis they performed to be done at the time a user is installing an app. Another is to use a technique known as certificate pinning, which makes it much harder for an app or browser to accept fraudulent certificates like the ones used in the study. The researchers also recommended Google engineers develop new ways for Android to make it clear when the connection provided by various apps is encrypted and when it’s not.

Ars Technica ponders why only Android apps were tested and suggests it might be because of the closed nature of the competing Apple iOS platform which would make analysis harder to perform.

A copy of the paper “Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security” is available for download (PDF).

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings