October 22, 2012
Many Android Apps Identified For Leaking Sensitive Data
Enid Burns for redOrbit.com — Your Universe Online
As many as 41 apps in Google's Play Market were found to leak sensitive data, such as online banking and social networking credentials, as well as email and instant messaging communications. The programs identified were running on handsets using the Ice Cream Sandwich version of Android software. The apps that make user phones vulnerable were identified in a research paper published by computer scientists at the Leibniz University of Hannover and the Philipps University of Marburg, both in Germany.
Specific apps were not identified, however researchers conducted analysis on 13,500 free apps they downloaded from the Google Play Market. Findings conclude that as many as 39.5 million users have downloaded these apps 185 million times, according to statistics listed by Google.
The researchers identify the legitimate need for apps to communicate over the internet, yet say these apps are then responsible for protecting potentially sensitive data during transit. Not all apps follow through in shoring up security holes. The paper looks to understand the potential security threats posed by Android apps that use SSL and TLS protocols to protect the data transmitted. According to researchers, benign apps inadvertently contain inadequate SSL/TLS code that is potentially vulnerable to Man-in-the-Middle (MITL) attacks.
Using a tool called MalloDroid, researchers were able to detect which apps expose potential vulnerability against MTIM attacks. In the paper, researchers identified 1,074 (8%) of the apps examined contained SSL/TLS code that is potentially vulnerable to MITM attacks.
The problem is the apps failed to implement standard scrambling systems, according to an article in BBC News on the paper. Failure to scramble the data allows MITM attacks to reveal data that passes back and forth between devices and websites or servers.
To conduct the study, researchers created a fake Wi-Fi hotspot using a specially created attack tool, MalloDroid, to spy on the data the apps sent to servers. BBC News reports that researchers were able to identify a number of ways data were revealed. Researchers were able to capture login details for online bank accounts, email services, social media sites and corporate networks. They were also able to disable security programs, or fool programs into labeling secure apps as infected. The programmers were able to inject computer code into the data stream that made apps carry out specific commands.
Even if the apps themselves were not designed to capitalize on this data, the apps allow a back door for hackers and others who are looking to gain access to phones and the data on them.
"We could gather bank account information, payment credentials for PayPal, American Express and others," Ars Technica quotes the researchers on the paper as explaining. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.
Findings shine a light on the vulnerabilities of SSL and TLS protocols. Ars Technica said the technology itself is generally considered secure, yet any security measures can be undermined when certificate authorities don't take the steps necessary to secure their infrastructure.