Connect with us

Hi, what are you looking for?


Mobile & Wireless

CERT Warns of Android Apps Vulnerable to MitM Attacks

The CERT Coordination Center at Carnegie Mellon University (CERT/CC) has published a list of popular Android applications that fail to properly validate SSL certificates, exposing users to man-in-the-middle (MitM) attacks.

The CERT Coordination Center at Carnegie Mellon University (CERT/CC) has published a list of popular Android applications that fail to properly validate SSL certificates, exposing users to man-in-the-middle (MitM) attacks.

The issue of Android apps failing to validate SSL certificates is not new. A couple of years ago, researchers in Germany published a paper based on the analysis of 13,500 popular free applications with the aid of MalloDroid, a tool that’s designed to detect broken SSL certificate validation in Android programs. The researchers warned at the time that 8% of the analyzed apps contained SSL/TLS code that was potentially vulnerable to MitM attacks, but CERT says the experts didn’t actually alert the developers of the impacted applications.

More recently, researchers at FireEye analyzed 1,000 of the most popular free apps offered on Google Play and found that 68% of them are vulnerable because they either don’t check server certificates, they ignore SSL errors in WebKit, or they don’t verify the hostnames of servers. The applications are exposed to attacks due to vulnerable libraries (such as the Flurry and Chartboost ad libraries), or they are inherently vulnerable. FireEye said it had notified developers, who took steps to secure their products, but CERT pointed out that with the exception of a few cases, the security firm did not name the affected applications, or the authors who were alerted.

This is why CERT has decided to take the issue even further and perform wide-scale automated dynamic tests on the most popular Android apps by using a tool called CERT Tapioca. Tapioca is a network-layer MitM proxy VM based on UbuFuzz, preloaded with mitmproxy, and it can be used to check for apps that fail to validate certificates, and investigate HTTP/HTTPS traffic.

In addition to verifying the apps, the organization is determined to contact the authors of every single application that fails the tests and provide them with information needed to address the vulnerabilities.

A spreadsheet containing the list of tested applications has been published by CERT. The document, which will be kept up to date with new information, contains names, tested versions, test results, CVE identifiers for the vulnerabilities, and other information.

CERT says that while some might find it odd that they have decided to publish the names of the impacted apps without giving developers time to address the vulnerabilities, this move gives an advantage to the users, not the attackers.

Advertisement. Scroll to continue reading.

“If an attacker is interested in performing MITM attacks, they’re already doing it. That cat is already out of the bag. They’ve likely set up a rogue access point and are already capturing all of the traffic that passes through it,” CERT/CC vulnerability analyst Will Dormann said in a blog post. “If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...