Another day and yet another set of reports alleging insecurity in the Android mobile operating system. This week, not one, but two reports came out detailing security risks in Android.
One of the reports, issued by security vendor FireEye on Aug. 20, deals with Secure Sockets Layer (SSL) security, or lack thereof, in Android apps.
The FireEye researchers found that approximately 68 percent of the 1,000 most downloaded free applications available in the Google Play store have some form of SSL-related security risk.
Among the issues that FireEye uncovered is the fact that across apps that claim to be using SSL, approximately 73 percent did not actually check the SSL certificates for authenticity. FireEye also found that 8 percent of apps did not actually check the hostname on the certificate. The way that SSL works, a certificate should be issued for a specific hostname to be valid.
The issue of bad SSL in mobile apps and specifically Android is not a new topic. In fact, it was recently discussed in great detail during the Defcon conference earlier this month, where a pair of security researchers from LinkedIn detailed multiple SSL-related mobile flaws. As is the case in the FireEye research, the LinkedIn researchers also found certificate and hostname checking to be lacking.
While the SSL issues detailed by the FireEye and LinkedIn researchers deal with how third-party apps use SSL, there are other flaws in Android itself that have been discussed this past week.
In a paper released on Aug. 22, University of California at Riverside and University of Michigan researchers detailed how they could attack Gmail on Android with a 92 percent success rate.
“The security of smartphone GUI frameworks remains an important yet under-scrutinized topic,” the research paper abstract states. “In this paper, we report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state (not the pixels) by a background app without requiring any permissions.”
So to recap, many popular apps don’t properly implement SSL, which could enable user information to be compromised. Adding further insult to injury, it’s possible that a malicious app could steal information from an Android user interface.
How to Reduce the Risk
These are serious concerns and should not be dismissed lightly. That said, there are ways that users can reduce the risk.
In the case of apps not using SSL securely, the way an attacker would exploit that flaw is by way of some form of man-in-the-middle (MiTM) attack. In those attacks, the data is intercepted at some point in the network path, potentially at a WiFi access point. Using a virtual private network (VPN) at unknown access points or in public places is always a good idea and a best practice that might reduce the risk.
UI-related attacks require that the user somehow download or is infected by a malicious app first. Again, standard best practice Internet hygiene is a good idea here. Reduce such risk by not downloading apps from outside of the Google Play store. While it is possible that apps in Google Play could be at risk, Google has its own scanning effort to help identify malicious apps that should reduce the potential exposure.
Certainly Android is a platform with very active security research activity, and there are legitimate concerns to be dealt with. The sky, however, is not falling; with security research comes awareness of issues, which hopefully leads to better security outcomes.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.