Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Android Cellphones Encryption Handhelds Networking Privacy Security Software IT

Poor SSL Implementations Leave Many Android Apps Vulnerable 141

Posted by timothy from the that's-why-they-buy-guns dept.
Trailrunner7 writes "There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations. The researchers conducted a detailed study of 13,500 of the more popular free apps on Google Play, the official Android app store, looking at the SSL/TLS implementations in them and trying to determine how complete and effective those implementations are. What they found is that more than 1,000 of the apps have serious problems with their SSL implementations that make them vulnerable to MITM attacks, a common technique used by attackers to intercept wireless data traffic. In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials."
This discussion has been archived. No new comments can be posted.

Poor SSL Implementations Leave Many Android Apps Vulnerable More

Poor SSL Implementations Leave Many Android Apps Vulnerable

Comments Filter:

  • A question (Score:5, Interesting)

    by Chrisq ( 894406 ) on Saturday October 20, 2012 @08:31AM (#41714011)
    The article says:

    Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations.

    I would have thought that an SSL implementation, complete with certificate chain validation would be provided by the OS, and that apps would use that. Only apps that had special requirements should have to implement SSL. Does anyone know if android does provide a TLS interface, and if so are the apps ignoring the platform service?

  • Re:A lot of apps use SSL (Score:4, Interesting)

    by dbIII ( 701233 ) on Saturday October 20, 2012 @09:13AM (#41714163)
    Tell that to what seems like 9/10 of the sites on the net, expired certs seem to be more common than current ones.

  • Re:A lot of apps use SSL (Score:2, Interesting)

    by Anonymous Coward on Saturday October 20, 2012 @09:21AM (#41714183)

    Geeks really don't understand.

    Blame goes where blame is due, or nothing gets better. Geeks understand that, everyone else might as well go back to sacrificing goats to their local deity in hope that he fixes it.

    If you don't get it, why don't you go down to your local NASCAR office and scream at them about the football referee union, see if that gets you anywhere.

  • Certificate expiry is a heuristic (Score:3, Interesting)

    by tepples ( 727027 ) <tepplesNO@SPAMgmail.com> on Saturday October 20, 2012 @11:58AM (#41714779) Homepage Journal

    There is no reason a cert should expire. It should be revoked if compromised

    As with most perceived fallacies, certificate expiry and password expiry arise from a heuristic. An older certificate or password is more likely to have been silently compromised than a newer certificate or password.

Slashdot Top Deals

THEGODDESSOFTHENETHASTWISTINGFINGERSANDHERVOICEISLIKEAJAVELININTHENIGHTDUDE

Close