Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SSL Vulnerabilities in Android Apps Left Many Users Open to MITM

An analysis of free applications in the Google Play app store found many popular Android apps had SSL vulnerabilities that left them susceptible to man-in-the-middle attacks (MITM).

An analysis of free applications in the Google Play app store found many popular Android apps had SSL vulnerabilities that left them susceptible to man-in-the-middle attacks (MITM).

FireEye’s Mobile Security Team examined the 1,000 most-downloaded free applications in the Google Play app store and found as of July 17, 674 had one or more SSL vulnerabilities. In particular, the team looked for the following three issues: the use of trust managers that do not check certificate chains from remote servers; the replacement of platform hostname verifiers by application hostname verifiers that do not verify the hostname of the remote server; and applications ignoring SSL errors when they use WebKit to render server pages in mobile apps.

By far, the most common of the three issues involved the failure of trust managers to check certificates. That issue was present in 448 of the applications – a total of roughly 73 percent. Hostname verifiers that did nothing were present in eight percent of the applications, while 219 of the 285 applications using WebKit ignored SSL errors generated in WebKit.

If unchecked, the vulnerabilities could have allowed an attacker to exfiltrate data sent by the application or by a server, as well as intercept data from the server and either modify it or replace it with malicious data. An attacker could also potentially redirect traffic to an entirely new destination that’s under their control.

The developers of the applications were contacted, and in most cases addressed the issue in subsequent versions of their applications. 

“The security properties of HTTPS stem from Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS),” according to FireEye. “The Android platform provides libraries and methods to communicate with a server using these secure network protocols, forming the underpinnings of Public-Key Infrastructure (PKI). But, while the SSL/TLS protocol is designed for enhanced security, incorrect use of the Android platform’s SSL libraries can expose applications to MITM attacks.”

A further examination of roughly 10,000 free applications on Google Play found that roughly 40 percent use trust managers that do not check server certificates, while seven percent use hostname verifiers that do not check hostnames. Thirteen percent do not check SSL errors when they use WebKit.

“We hope that publications like this encourage application developers to stay current on the versions of third-party libraries they use, and to talk to the developers of third-party libraries to ensure the end users’ privacy is not compromised through backdoors,” the FireEye researchers noted.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...