Slashdot Mirror

← Back to Stories (view on slashdot.org)

Poor SSL Implementations Leave Many Android Apps Vulnerable

Posted by timothy on from the that's-why-they-buy-guns dept.

Trailrunner7 writes "There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations. The researchers conducted a detailed study of 13,500 of the more popular free apps on Google Play, the official Android app store, looking at the SSL/TLS implementations in them and trying to determine how complete and effective those implementations are. What they found is that more than 1,000 of the apps have serious problems with their SSL implementations that make them vulnerable to MITM attacks, a common technique used by attackers to intercept wireless data traffic. In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials."

10 of 141 comments (clear)

  1. A lot of apps use SSL by Kagetsuki · · Score: 5, Insightful

    I myself have implemented them for shopping apps (SSL for anything dealing with user details, payment, etc.). When you're communicating with an external service that requires (or where you want to use) encrypted connections and that service only offers SSL (this is probably 90% of the time) you need to use it. Now the catch here is that the standard SSL handlers available to you in Android provide an "ideal" setup, where servers and certs are exactly as they "should" be. The problem is unless you are paying rediculous ammounts for dedicated SSL services and high quality certs your setup will not be the "ideal", and you'll have to make exceptions by overriding code.

    As an example, in the shopping system I set up there were two sets of certs, one set was signed [payment gateway] the other wasn't [user control pannel]. I had to jump through a few hoops, and the app would be open for man-in-the-middle if set up right - but luckilly all they'd get would be user login details, address and phone number - billing is all external and requires a separate authorization.

    1. Re:A lot of apps use SSL by Anonymous Coward · · Score: 4, Insightful

      If one can't afford a certificate for from a typically trusted CA (and it's not much for one for ordinary e-commerce use cases) then one probably shouldn't be handling PII.

    2. Re:A lot of apps use SSL by Anonymous Coward · · Score: 1, Insightful

      Is it me or does that post make it sound like parent poster shouldn't be allowed to use secure communications, much less code them?

      I wish there was a "scary as fuck" mod but I don't know if it should count +1 or -1.

    3. Re:A lot of apps use SSL by sithlord2 · · Score: 5, Insightful

      What do you define as rediculous amount of money? I pay 50 USD/year for a signed ssl certificate. My SSL setup scores an "A" on the SSLLab test.

      With those prices today, I cannot find one argument in favor of a self-signed certificate. Especially not if you are using it in a commercial product. Get a cheap signed certificate and use the SSL framework on your platform in the way it is intended.

      I do hope the example you mentioned occured somewhere in the nineties or so, when ssl certs were indeed still expensive.

      --
      ...You are over-qualified and under-paid. If we give you a raise, we will break the cosmic balance of the universe.
    4. Re:A lot of apps use SSL by DarkOx · · Score: 3, Insightful

      I am not sure I agree. There is nothing stronger than self signed certificates, with the public certificate distributed out of band.

      For b2b sites, corporate client vpns, personal remote access and such this is ideal, it does not delegate trust to some 3rd party that might screw up and cause things to have be changed, or risk compromise. If A wants an encrypted channel with B, if A and B can swap usb keys with each other containing their self signed certs; and they then go back and put those certs in their trust stores there is no way anyone can impersonate B to A or A to B without A or B being responsible for leaking a private key.

      Obviously this only works for entities with long lived relationships, and enough value in what is being secured to make the effort worth while. Still its actually a much more secure route than a third party CA for any situation where its reasonable.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    5. Re:A lot of apps use SSL by Anonymous Coward · · Score: 2, Insightful

      expired certs seem to be more common than current ones.

      That's because cert expiry is a money-making scam by the CAs.

      There is no reason a cert should expire. It should be revoked if compromised, but there is no reason for it to "expire" other than generating annual subscriptions.

    6. Re:A lot of apps use SSL by dgatwood · · Score: 3, Insightful

      Yes, it is a common mistake. That's why Apple has told people not to do what you're describing at pretty much every WWDC networking talk for as far back as I can remember, and devoted an entire chapter in their networking documentation to that subject.

      I'm not seeing anything like the above in the Android documentation, which may explain why this is a much more common problem on that platform. And pretty much all the sample code I see on places like Stack Overflow and GitHub are wrong, which further compounds the problem. Want this problem to go away? Go to all those Stack Overflow pages and GitHub pages and flag them as inappropriate. Then convince someone to document how to do it the *right* way.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Re:Android continues to be security disaster by Anonymous Coward · · Score: 4, Insightful

    This is not a platform problem, this is a matter of the choices made by application developers. I can guarantee this same sort of analysis would fail a similar number of apps across the board for Windows, OSX, or *any* platform with a sufficient number of applications making use of SSL sockets. I know the sort of developers that do this and they'll do it *everywhere*, because of some mix of not quite understanding the point of the CA and the hassle they perceive in trying to find a way to do it right (admittedly, the logistics of doing it right in certain scenarios is daunting and necessarily puts work on the enduser if you want to be truly secure).

  3. Re:User Confidence by amiga3D · · Score: 1, Insightful

    I would never consider using an Android phone for any banking access. Never.

  4. Re:User Confidence by Anonymous Coward · · Score: 0, Insightful

    I would never consider using an Android phone for any access. Never.

    FTFY