Nowadays, we use our phones for so much it's a wonder we ever need a computer lying around. How many of you out there bank with your smartphone? Purchase stuff online with it? Send sensitive, personal data over e-mail? These are things that I'm sure form a regular day's use for most of us and it's these things we've come to rely on our smartphones for and we rely on them to be secure. Whilst Android might not be an open door in a bad neighbourhood it's had it's fair share of security scares over the years and a recent research study showed that a lot of the apps we use day-to-day are more vulnerable to theft than we'd like them to be.
At the Universities of Leibniz in Hannover and Philipps University in Marburg researchers identified 41 Android apps from the Play Store that leaked information when transferring to banks' web servers and other online services. All apps were tested on Ice Cream Sandwich, and have been downloaded anywhere from 39.5 Million and 185 Million times. It was discovered that apps would leak this data by connecting to local area networks using well-known exploits of which some are documented online.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."
The findings of the researchers exposed great weaknesses in the SSL and TLS protocols which are supposed to be used to encrypt sensitive data as it travels to and from websites and online services. SSL and TLS are rather secure however, if they are implemented poorly or certificate authorities themselves, have lax security then any benefits are thrown out of the window. The researchers presented their paper at the Computer and Communications Security conference exposing poor implementation by app developers.
"All things said, it's generally good research that should make developers more aware of these basic security deficiencies that shouldn't have made it through any respectable QA process," Jon Oberheide – CTO of Duo Security, told Ars Technica "Needless to say, security isn't top of mind of most mobile developers."
Whilst the researchers didn't say whether any of the apps in question were developed by Google they did say that there was work that could be done in Android itself to prevent such massive leaks of sensitive data. Scientists began the research by downloading roughly 13,500 free Android apps from the Play Store and monitored them under a "static analysis" from this test group, 1,074 apps were discovered to leak data over public WiFi hotspots or unsecured networks. A majority of the apps in question were developed to accept SSL certificates from anybody and/or hostnames.
It's scary to see that a portion – no matter how small it is – of the apps we use are leaving us vulnerable to data theft especially when you consider how easy it is for us to bank at our coffee shop using the free WiFi or banking on the go on our phones. Let's just hope that the apps in question were contacted privately and the security issues are being looked at.
[Source: Ars Technica]