Android apps let down Google's security

Android applications which have not been properly tested are opening the operating system up to malware, insecurity experts have found.

Researchers from Germany’s Leibniz University of Hannover and Philipps University of Marburg, found more than 41 applications in Google’s Play Market leak sensitive data as it travelled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services.

If you connect the devices to a local area network that used a variety of well-known exploits, some of them available online, it was a doddle to defeat the secure sockets layer and transport layer security protocols implemented by the apps.

The apps are popular and have been downloaded from 39.5 million and 185 million times, so there are a lot of insecure Android phones out there.

The researchers said that they could gather bank account information, payment credentials for PayPal, American Express and others.

Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted, they said.

The researchers say that the problems underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and users, Ars Technica reports.

The technology itself is fairly secure, but its protection can be undermined when certificate authorities don’t secure their infrastructure.

The researchers downloaded 13,500 free apps from Google Play and checked whether the SSL implementations of the apps were potentially vulnerable to “man-in-the-middle” exploits.

The results identified 1,074 apps, or eight percent of the sample, that contained SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.

From the list of the 1,074 potentially vulnerable apps, the researchers picked 100 of them to crack and from that list 41 of them were vulnerable.

One thing that does surprise objective viewers that that the researchers didn’t run a comparison with Apple apps.  

The researchers did say that the openness of the Google platform made it easier to perform static analysis and zero in on the apps with SSL implementations that exposed sensitive user data. In other words, it was easier to test which apps were vulnerable using a system they invented. Apple software could also be vulnerable, but it’s harder to come up with an accurate test for it.

However, the vulnerability to apps is possibly universal for smartphones generally and companies would have to be insane to allow DIY policies on that basis.