The CERT Coordination Center at Carnegie Mellon University (CERT/CC) has published a list of popular Android applications that fail to properly validate SSL certificates, exposing users to man-in-the-middle (MitM) attacks.
The issue of Android apps failing to validate SSL certificates is not new. A couple of years ago, researchers in Germany published a paper based on the analysis of 13,500 popular free applications with the aid of MalloDroid, a tool that’s designed to detect broken SSL certificate validation in Android programs. The researchers warned at the time that 8% of the analyzed apps contained SSL/TLS code that was potentially vulnerable to MitM attacks, but CERT says the experts didn’t actually alert the developers of the impacted applications.
More recently, researchers at FireEye analyzed 1,000 of the most popular free apps offered on Google Play and found that 68% of them are vulnerable because they either don’t check server certificates, they ignore SSL errors in WebKit, or they don’t verify the hostnames of servers. The applications are exposed to attacks due to vulnerable libraries (such as the Flurry and Chartboost ad libraries), or they are inherently vulnerable. FireEye said it had notified developers, who took steps to secure their products, but CERT pointed out that with the exception of a few cases, the security firm did not name the affected applications, or the authors who were alerted.
This is why CERT has decided to take the issue even further and perform wide-scale automated dynamic tests on the most popular Android apps by using a tool called CERT Tapioca. Tapioca is a network-layer MitM proxy VM based on UbuFuzz, preloaded with mitmproxy, and it can be used to check for apps that fail to validate certificates, and investigate HTTP/HTTPS traffic.
In addition to verifying the apps, the organization is determined to contact the authors of every single application that fails the tests and provide them with information needed to address the vulnerabilities.
A spreadsheet containing the list of tested applications has been published by CERT. The document, which will be kept up to date with new information, contains names, tested versions, test results, CVE identifiers for the vulnerabilities, and other information.
CERT says that while some might find it odd that they have decided to publish the names of the impacted apps without giving developers time to address the vulnerabilities, this move gives an advantage to the users, not the attackers.
“If an attacker is interested in performing MITM attacks, they’re already doing it. That cat is already out of the bag. They’ve likely set up a rogue access point and are already capturing all of the traffic that passes through it,” CERT/CC vulnerability analyst Will Dormann said in a blog post. “If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks.”