Android apps used by millions vulnerable to password, e-mail theft

Android applications downloaded by as many as 185 million users can expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.

The researchers identified 41 applications in Google's Play Market that leaked sensitive data as it traveled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services. By connecting the devices to a local area network that used a variety of well-known exploits, some of them available online, the scientists were able to defeat the secure sockets layer and transport layer security protocols implemented by the apps. Their research paper didn't identify the programs, except to say they have been downloaded from 39.5 million and 185 million times, based on Google statistics.

"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers, from Germany's Leibniz University of Hannover and Philipps University of Marburg, wrote. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." Other exposed data included the contents of e-mails and instant messages.

A Google spokesman declined to comment. There was no evidence any of the vulnerable apps were developed by Google employees, although the researchers said there are steps Google engineers could take to better ensure Android apps implement the encryption more securely.

The findings underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and end users. While the technology itself is generally considered secure, its protection can be undermined when certificate authorities fail to secure their infrastructure or websites don't take proper precautions. The paper, presented at this week's Computer and Communications Security conference, exposes yet another point of failure, which is poor implementation by app developers.

"All things said, it's generally good research that should make developers more aware of these basic security deficiencies that shouldn't have made it through any respectable QA process," Jon Oberheide, CTO of mobile firm Duo Security, told Ars. "Needless to say, security isn't top of mind of most mobile developers."

The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a "static analysis." Those tests checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."

From the list of the 1,074 potentially vulnerable apps, the researchers picked 100 of them to subject to a manual audit that connected them to a network that used an SSL proxy to test whether the SSL implemented in the devices could be defeated. In some cases, the apps accepted SSL certificates that were signed by the researchers rather than a valid certificate authority. In others, the accepted certificates authorized a domain name other than the one the app was accessing. In still other cases, the apps were defeated by attacks including SSLstrip, which researcher Moxie Marlinspike demonstrated in 2009. Some apps also accepted certificates signed by authorities that are no longer valid. (It appears the Android operating system gives end users a means to manually disable various CAs.)

Example of vulnerabilities included:

• An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.
• An app with an install base of 1 million to 5 million users that was billed as a "simple and secure" way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a "broken SSL channel."
• A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.
• A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.