Android apps flawed - leak personal information

Android apps flawed - leak personal information
Hundreds of apps found to be vulnerable to "man in the middle" attacks.

Research conducted at the University of Leibniz in Hanover and the computer science department at the Philipps University of Marburg, found that hundreds of Android apps can leak personal or sensitive information. The researchers tested 13,500 Android apps from the Google Play store, and found that 8 percent of them failed to protect bank account details, or social media login details, adequately, due to SSL weaknesses.



The test utilized a crafted attack tool and a fake Wi-Fi hotspot to spy on data transmitted from the apps. In many cases, the researchers were able to retrieve login credentials for banking, email, social media or corporate networks. They could also disable security programs or spoof them into labelling secure apps as infected, and in cases could even inject code into the data stream and force apps to carry out specific commands.

Since the researchers intentionally focused on popular apps, some of the tested apps have clocked up millions of downloads.

Read more (PDF): http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

Written by: James Delahunty @ 22 Oct 2012 18:43
Tags
Android google play
Advertisement - News comments available below the ad
  • 3 comments

  • IguanaC64

    Snippet from the article regarding apps they tested (in case you don't want to dig...all these had SSL weaknesses):

    Amazon MP3 10-50 million
    Chrome 0.5-1 million
    Dolphin Browser HD 10-50 million
    Dropbox 10-50 million
    Ebay 10-50 million
    Expedia Bookings 0.5-1 million
    Facebook Messenger 10-50 million
    Facebook 100-500 million
    Foursquare 5-10 million
    GMail 100-500 million
    Google Play Market All Phones
    Google+ 10-50 million
    Hotmail 5-10 million
    Instagram 5-10 million
    OfficeSuite Pro 6 1-5 million
    PayPal 1-5 million
    Yahoo! Messenger 10-50 million
    Yahoo! Mail 10-50 million

    22.10.2012 19:21 #1

  • pollution

    There is an android app you can install on your phone and make a fake wifi hotspot and steal all of someones data that connects through you. I don't remember what it is called.

    23.10.2012 00:19 #2

  • mukhis

    the same may be true for other mobile apps in other mobile OSs, too. the bottomline is that you don't want to use your mobile apps for transactions that needs high security level.

    ASUS G73JW | Intel Core i7-740QM, 1.73GHz | 8GB DDR3 | Nvidia GeForce GTX 460M, 1.5GB | OCZ 120GB SSD + Seagate 500GB Hybrid 7200rpm | 17.3" FHD/3D | Blu-ray Write | Win7Pro64

    23.10.2012 00:24 #3

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud