Posted October 22, 2012 by Rapid Carol in Tech News
 
 

Massive Encryption Faults in Android Apps Used by Millions

Android_Mascot1
Android_Mascot1

A team of computer science researchers have revealed that Android apps used by as many as 185 million people can expose online banking and social network credentials, as well as emails and IM content.

The researchers, from Germany’s Leibniz University of Hannover and Philipps University of Marburg, have identified 41 apps available on the Play store which leak sensitive information as it travels between phones and servers.

The team recreated real-life app use on a local area network and then used existing security exploits to garner confidential information.

The researchers write:

“We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.”

The researchers haven’t identified which apps are at fault, though they do note that some of them have been downloaded up to 185 million times.

They do hint at the kind of software they found was insecure, though, detailing examples of the vulnerabilities they found. Ars Technica gives a round-up of what appears to be third-party apps.:

  • An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.
  • An app with an install base of 1 million to 5 million users that was billed as a “simple and secure” way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a “broken SSL channel.”
  • A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.
  • A “very popular cross-platform messaging service” with an install base of 10 million to 50 million users exposed telephone numbers from the address book.
Did you enjoy this article? If so, we’d love to hear your thoughts on the Forums or on our Facebook page. Get more articles instantly on your BlackBerry smartphone with our Free BlackBerry 10 App.

Source

Enjoy this article? Share it with others.

  • Facebook
  • Twitter
  • StumbleUpon
  • LinkedIn
  • Digg
  • Pinterest
  • Google Plus
  • Tumblr
  • Reddit
  • Instapaper
  • Delicious
  • Email
  • Print


security