How secure is your Android device? How about your apps? You may not be thrilled to find out the answer to that one.
A new paper from six German academics focuses on the nature of web security for Android apps. The paper was entitled Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security.
**Side note: As a bit of explanation here, "Eve" and "Mallory" are names meant to represent threats to security in computing scenarios. "Eve" stands for an eavesdropper, and "Mallory" is the "man-in-the-middle."
A man-in-the-middle (MITM) attack is devious but simple. I trick you into connecting to me, instead of, say, to your bank. You do a transaction, but I suck up all the data: username, account number, token code, the lot. I then immediately use this data, while it's still valid, to transact with your bank. Except that I pay the money to myself.
As you can see, MITM attacks are very serious, and they especially demand the attention of Android developers.
The authors of the paper discovered another major issue after studying 13,500 apps. Specifically, the authors examined apps that used HTTPS (secure HTTP) in order to figure out if the app developers set up the encryption properly.
Just to remind you: SSL is intended to deliver a security trifecta of confidentiality (the data transmitted is encrypted), integrity (the data hasn't been tampered with) and, through a system of digital certificates, authenticity (you really are talking to the right server). It's the digital certificates that stop MITM attacks: used correctly, the certificates mean that Mallory can't pretend to be your bank. He can get in the middle, but you'll notice.
Despite the effort to at least include HTTPS, developers still had some major issues.
In one category of problems, 790 apps used SSL, but the process then accepted every certificate in order to complete transactions. Developers were on the right track, but unfortunately, they left a serious security door wide open.
Another 284 apps found in Google Play insisted on the use of approved certificates, but those apps were indiscriminate about which site the certificate had actually been issued for.
SSL certificates deliberately have a website name knitted into them, precisely so that a crook can't create one for his own site and then use it as if it belonged to someone else. You're supposed to check that the site and its certificate match to prevent this sort of masquerading.
The problem with all of this for Android users is that we don't have an agreed-upon standard for recognizing whether or not our apps are communicating over secure connections. Practically anyone using a desktop web browser can recognize the tiny lock icon that pops up for secure site in the URL box. What can Android users look for?
The authors of the paper suggested several possible solutions, such as:
- Expecting developers to up their game. It would be the responsibility of developers to study data like the report so they can notify the user of possible risks.
- Expecting Google to screen apps for security issues before allowing them into the Play Store.
- Use a verification tool that will assist with the above steps.
Of course, it's a noble idea to state that both sides (Google Play and app developers) should up their efforts, but the reality is that a verification tool is probably the best way to protect your own devices.