Poor SSL Implementations Leave Many Android Apps Vulnerable 141
Trailrunner7 writes "There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations. The researchers conducted a detailed study of 13,500 of the more popular free apps on Google Play, the official Android app store, looking at the SSL/TLS implementations in them and trying to determine how complete and effective those implementations are. What they found is that more than 1,000 of the apps have serious problems with their SSL implementations that make them vulnerable to MITM attacks, a common technique used by attackers to intercept wireless data traffic. In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials."
A question (Score:5, Interesting)
Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations.
I would have thought that an SSL implementation, complete with certificate chain validation would be provided by the OS, and that apps would use that. Only apps that had special requirements should have to implement SSL. Does anyone know if android does provide a TLS interface, and if so are the apps ignoring the platform service?
Re:A lot of apps use SSL (Score:4, Interesting)
Re:A lot of apps use SSL (Score:2, Interesting)
Blame goes where blame is due, or nothing gets better. Geeks understand that, everyone else might as well go back to sacrificing goats to their local deity in hope that he fixes it.
If you don't get it, why don't you go down to your local NASCAR office and scream at them about the football referee union, see if that gets you anywhere.
Certificate expiry is a heuristic (Score:3, Interesting)
There is no reason a cert should expire. It should be revoked if compromised
As with most perceived fallacies, certificate expiry and password expiry arise from a heuristic. An older certificate or password is more likely to have been silently compromised than a newer certificate or password.