Android Apps Left 185 Million Users Vulnerable: Report

Android developers have left some apps vulnerable to attacks, says a new report. Researchers were able to capture user credentials for American Express and other sites.

Android applications in the Google Play store have made the banking credentials and other private information of many as 185 million users vulnerable to exposure, according to a report from Leibniz University of Hannover, Germany, and Philipps University of Marburg, Germany, picked up in Ars Technica.

The report, presented at the Computer and Communications Security conference in Raleigh, N.C., last week, blamed app developers for poorly implementing Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which together encrypt information between Websites and users.

The researchers randomly selected 13,500 free apps from Google Play and found 1,074, or 8 percent, to be potentially vulnerable to man-in-the-middle (MITM) attacks.

"Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps [using software available on the Internet] and gather a large variety of sensitive data," the researchers wrote in an abstract.

They wrote that they were able to capture credentials for "American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts and IBM Sametime, among others."

In one example, they explained:

We found several prominent mail apps that had issues with missing feedback. Both were dedicated apps for specific online services. The first app with an install base between 10 [million] and 50 million users handled registration and log-in via a secure SSL connection, but the default settings for sending and receiving email are set to HTTP. They can be changed by the user, but the user needs to stumble upon this possibility first. Meanwhile, there was no indication that the emails were not protected.

The researchers were also able to inject virus signatures into an antivirus app to disable virus protection. Further, in an online study with 754 participants, conducted to gauge users' perceptions of security warnings, 56 percent didn't notice a certificate warning and "typically rated the risk they were warned against as medium to low." Fifty percent were also unable to correctly judge whether their browser session was protected by SSL/TLS or not.

What to do? Three countermeasures are possible, says the report—a solution integrated into the Android OS, a solution integrated into the app markets and a stand-alone solution. The researchers also plan to make their MalloDroid Web App—a tool for detecting vulnerabilities against MITM attacks—available to Android users, and called for "more education and simpler tools to enable easy and secure development of Android apps."

They also called for more research, which they said was needed to study which countermeasures "offered the right combination of usability for developers and users, security benefits and economic incentives to be deployed on a larger scale."

Google didn't immediately respond to a request for comment.

Follow Michelle Maisto on Twitter.