Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SSL Vulnerabilities in Android Apps Left Many Users Open to MITM

An analysis of free applications in the Google Play app store found many popular Android apps had SSL vulnerabilities that left them susceptible to man-in-the-middle attacks (MITM).

An analysis of free applications in the Google Play app store found many popular Android apps had SSL vulnerabilities that left them susceptible to man-in-the-middle attacks (MITM).

FireEye’s Mobile Security Team examined the 1,000 most-downloaded free applications in the Google Play app store and found as of July 17, 674 had one or more SSL vulnerabilities. In particular, the team looked for the following three issues: the use of trust managers that do not check certificate chains from remote servers; the replacement of platform hostname verifiers by application hostname verifiers that do not verify the hostname of the remote server; and applications ignoring SSL errors when they use WebKit to render server pages in mobile apps.

By far, the most common of the three issues involved the failure of trust managers to check certificates. That issue was present in 448 of the applications – a total of roughly 73 percent. Hostname verifiers that did nothing were present in eight percent of the applications, while 219 of the 285 applications using WebKit ignored SSL errors generated in WebKit.

If unchecked, the vulnerabilities could have allowed an attacker to exfiltrate data sent by the application or by a server, as well as intercept data from the server and either modify it or replace it with malicious data. An attacker could also potentially redirect traffic to an entirely new destination that’s under their control.

The developers of the applications were contacted, and in most cases addressed the issue in subsequent versions of their applications. 

“The security properties of HTTPS stem from Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS),” according to FireEye. “The Android platform provides libraries and methods to communicate with a server using these secure network protocols, forming the underpinnings of Public-Key Infrastructure (PKI). But, while the SSL/TLS protocol is designed for enhanced security, incorrect use of the Android platform’s SSL libraries can expose applications to MITM attacks.”

A further examination of roughly 10,000 free applications on Google Play found that roughly 40 percent use trust managers that do not check server certificates, while seven percent use hostname verifiers that do not check hostnames. Thirteen percent do not check SSL errors when they use WebKit.

“We hope that publications like this encourage application developers to stay current on the versions of third-party libraries they use, and to talk to the developers of third-party libraries to ensure the end users’ privacy is not compromised through backdoors,” the FireEye researchers noted.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.