It appears you have not yet registered with our community. To register please click here...

 
Go Back [M] > Madshrimps > WebNews
Android apps let down Google's security Android apps let down Google's security
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read


Android apps let down Google's security
Reply
 
Thread Tools
Old 24th October 2012, 09:19   #1
[M] Reviewer
 
Stefan Mileschin's Avatar
 
Join Date: May 2010
Location: Romania
Posts: 90,855
Stefan Mileschin Freshly Registered
Default Android apps let down Google's security

Android applications which have not been properly tested are opening the operating system up to malware, insecurity experts have found.

Researchers from Germany's Leibniz University of Hannover and Philipps University of Marburg, found more than 41 applications in Google's Play Market leak sensitive data as it travelled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services.

If you connect the devices to a local area network that used a variety of well-known exploits, some of them available online, it was a doddle to defeat the secure sockets layer and transport layer security protocols implemented by the apps.

The apps are popular and have been downloaded from 39.5 million and 185 million times, so there are a lot of insecure Android phones out there.

The researchers said that they could gather bank account information, payment credentials for PayPal, American Express and others.

Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted, they said.

The researchers say that the problems underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and users, Ars Technica reports.

The technology itself is fairly secure, but its protection can be undermined when certificate authorities don't secure their infrastructure.

The researchers downloaded 13,500 free apps from Google Play and checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits.

The results identified 1,074 apps, or eight percent of the sample, that contained SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.

From the list of the 1,074 potentially vulnerable apps, the researchers picked 100 of them to crack and from that list 41 of them were vulnerable.

One thing that does surprise objective viewers that that the researchers didn't run a comparison with Apple apps.

The researchers did say that the openness of the Google platform made it easier to perform static analysis and zero in on the apps with SSL implementations that exposed sensitive user data. In other words, it was easier to test which apps were vulnerable using a system they invented. Apple software could also be vulnerable, but it's harder to come up with an accurate test for it.

However, the vulnerability to apps is possibly universal for smartphones generally and companies would have to be insane to allow DIY policies on that basis.

http://news.techeye.net/security/and...ogles-security
Stefan Mileschin is offline   Reply With Quote
Reply


Similar Threads
Thread Thread Starter Forum Replies Last Post
AMD AppZone Brings Graphics-Accelerated Windows and Android Apps to PCs Worldwide Stefan Mileschin WebNews 0 28th September 2012 07:40
MapQuest picks TomTom Maps to power iPhone and Android turn-by-turn navigation apps Stefan Mileschin WebNews 0 16th July 2012 09:04
Android 4.1 Jelly Bean review: a look at what's changed in Google's mobile OS Stefan Mileschin WebNews 0 29th June 2012 07:35
Baidu custom ROM for Nexus S swaps Google's apps for Baidu's own Stefan Mileschin WebNews 0 5th June 2012 08:31
Tizen OS will run Android apps -- with a little help from third-party software Stefan Mileschin WebNews 0 16th May 2012 08:26
RealVNC teams up with Sony to bring Android apps to the dashboard Stefan Mileschin WebNews 0 28th February 2012 07:51
Moving Your 'Non-Movable' Android Apps to an SD Card @ Techgage Stefan Mileschin WebNews 0 22nd December 2011 07:54
Malicious Android Apps Double in Six Months Stefan Mileschin WebNews 0 15th December 2011 07:47
8 Out of 10 Software Apps Fail Security Test Stefan Mileschin WebNews 0 8th December 2011 08:02

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


All times are GMT +1. The time now is 09:41.


Powered by vBulletin® - Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO