| ||Thread Tools|
|24th October 2012, 09:19||#1|
Join Date: May 2010
Android apps let down Google's security
Android applications which have not been properly tested are opening the operating system up to malware, insecurity experts have found.
Researchers from Germany's Leibniz University of Hannover and Philipps University of Marburg, found more than 41 applications in Google's Play Market leak sensitive data as it travelled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services.
If you connect the devices to a local area network that used a variety of well-known exploits, some of them available online, it was a doddle to defeat the secure sockets layer and transport layer security protocols implemented by the apps.
The apps are popular and have been downloaded from 39.5 million and 185 million times, so there are a lot of insecure Android phones out there.
The researchers said that they could gather bank account information, payment credentials for PayPal, American Express and others.
Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted, they said.
The researchers say that the problems underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and users, Ars Technica reports.
The technology itself is fairly secure, but its protection can be undermined when certificate authorities don't secure their infrastructure.
The researchers downloaded 13,500 free apps from Google Play and checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits.
The results identified 1,074 apps, or eight percent of the sample, that contained SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.
From the list of the 1,074 potentially vulnerable apps, the researchers picked 100 of them to crack and from that list 41 of them were vulnerable.
One thing that does surprise objective viewers that that the researchers didn't run a comparison with Apple apps.
The researchers did say that the openness of the Google platform made it easier to perform static analysis and zero in on the apps with SSL implementations that exposed sensitive user data. In other words, it was easier to test which apps were vulnerable using a system they invented. Apple software could also be vulnerable, but it's harder to come up with an accurate test for it.
However, the vulnerability to apps is possibly universal for smartphones generally and companies would have to be insane to allow DIY policies on that basis.
|Thread||Thread Starter||Forum||Replies||Last Post|
|AMD AppZone Brings Graphics-Accelerated Windows and Android Apps to PCs Worldwide||Stefan Mileschin||WebNews||0||28th September 2012 07:40|
|MapQuest picks TomTom Maps to power iPhone and Android turn-by-turn navigation apps||Stefan Mileschin||WebNews||0||16th July 2012 09:04|
|Android 4.1 Jelly Bean review: a look at what's changed in Google's mobile OS||Stefan Mileschin||WebNews||0||29th June 2012 07:35|
|Baidu custom ROM for Nexus S swaps Google's apps for Baidu's own||Stefan Mileschin||WebNews||0||5th June 2012 08:31|
|Tizen OS will run Android apps -- with a little help from third-party software||Stefan Mileschin||WebNews||0||16th May 2012 08:26|
|RealVNC teams up with Sony to bring Android apps to the dashboard||Stefan Mileschin||WebNews||0||28th February 2012 07:51|
|Moving Your 'Non-Movable' Android Apps to an SD Card @ Techgage||Stefan Mileschin||WebNews||0||22nd December 2011 07:54|
|Malicious Android Apps Double in Six Months||Stefan Mileschin||WebNews||0||15th December 2011 07:47|
|8 Out of 10 Software Apps Fail Security Test||Stefan Mileschin||WebNews||0||8th December 2011 08:02|