DARMSTADT, Germany--(BUSINESS WIRE)--Many popular Android apps pose significant security threats. This is the conclusion reached by researchers at the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany (Fraunhofer SIT). By exploiting weaknesses in the way the Secure Sockets Layer (SSL) protocol is used, attackers can steal sensitive access data, e.g., user names and passwords. Fraunhofer SIT informed over 30 affected app manufacturers; so far 16 closed the security gap. Among those were Amazon, Yahoo, Google, and Volkswagen Bank. A list of all apps with security updates may be found at www.sit.fraunhofer.de/en/appsecuritylist.
The user’s security risk depends on the specific app: With some apps only personal photos might be at risk; with banking apps, access data might be used for unauthorized money transfers. An especially grave risk may occur if apps use the single-sign on services of Google or Microsoft. In these cases access data is used for a variety of services, like email and cloud storage.
The vulnerability is introduced by an incorrect use of SSL. SSL cryptographically protects the connection between apps and servers. This protection relies on so-called public-key certificates. When receiving a certificate, apps are supposed to verify that it actually belongs to the server they want to communicate with. The researchers found that in the listed apps, this verification is not done correctly. “From a technical perspective, this is a small mistake. But it can have a huge impact on security,” says Dr. Jens Heider from Fraunhofer SIT. For example, an attacker just needs to manipulate the communication that takes place while the victim is surfing via an unprotected WLAN, e.g., at an airport or in a restaurant. It is in these situations that the SSL encryption is supposed to ensure secure communication.
“In principle, the vulnerability is extremely easy to fix,” says Heider. He and his team already informed the manufacturers several weeks ago and asked for the weakness to be remedied. The team has rechecked every new update. “Users need to make sure they always update their apps to the newest version,” recommends Heider. The vulnerability was noticed during the pilot phase of the new Fraunhofer SIT test framework “Appicaptor”, which automatically tests the security of apps. Fraunhofer SIT tested a total of 2,000 Android apps.
