An analysis of free applications in the Google Play app store found many popular Android apps had SSL vulnerabilities that left them susceptible to man-in-the-middle attacks (MITM).
FireEye’s Mobile Security Team examined the 1,000 most-downloaded free applications in the Google Play app store and found as of July 17, 674 had one or more SSL vulnerabilities. In particular, the team looked for the following three issues: the use of trust managers that do not check certificate chains from remote servers; the replacement of platform hostname verifiers by application hostname verifiers that do not verify the hostname of the remote server; and applications ignoring SSL errors when they use WebKit to render server pages in mobile apps.
By far, the most common of the three issues involved the failure of trust managers to check certificates. That issue was present in 448 of the applications – a total of roughly 73 percent. Hostname verifiers that did nothing were present in eight percent of the applications, while 219 of the 285 applications using WebKit ignored SSL errors generated in WebKit.
If unchecked, the vulnerabilities could have allowed an attacker to exfiltrate data sent by the application or by a server, as well as intercept data from the server and either modify it or replace it with malicious data. An attacker could also potentially redirect traffic to an entirely new destination that’s under their control.
The developers of the applications were contacted, and in most cases addressed the issue in subsequent versions of their applications.
“The security properties of HTTPS stem from Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS),” according to FireEye. “The Android platform provides libraries and methods to communicate with a server using these secure network protocols, forming the underpinnings of Public-Key Infrastructure (PKI). But, while the SSL/TLS protocol is designed for enhanced security, incorrect use of the Android platform’s SSL libraries can expose applications to MITM attacks.”
A further examination of roughly 10,000 free applications on Google Play found that roughly 40 percent use trust managers that do not check server certificates, while seven percent use hostname verifiers that do not check hostnames. Thirteen percent do not check SSL errors when they use WebKit.
“We hope that publications like this encourage application developers to stay current on the versions of third-party libraries they use, and to talk to the developers of third-party libraries to ensure the end users’ privacy is not compromised through backdoors,” the FireEye researchers noted.