35 
A team of computer science researchers have revealed that Android apps used by as many as 185 million people can expose online banking and social network credentials, as well as emails and IM content.
The researchers, from Germany’s Leibniz University of Hannover and Philipps University of Marburg, have identified 41 apps available on the Play store which leak sensitive information as it travels between phones and servers. The team recreated real-life app use on a local area network and then used existing security exploits to garner confidential information, reports Ars Technica. The researchers write:
“We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.”
The researchers haven’t identified which apps are at fault, though they do note that some of them have been downloaded up to 185 million times. They do hint at the kind of software they found was insecure, though, detailing examples of the vulnerabilities they found. Ars Technica gives a round-up:
- An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.
- An app with an install base of 1 million to 5 million users that was billed as a “simple and secure” way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a “broken SSL channel.”
- A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.
- A “very popular cross-platform messaging service” with an install base of 10 million to 50 million users exposed telephone numbers from the address book.
Big problems, then, but the descriptions — using language like “generic online banking app” — seem to suggest that these are third-party apps, not official software from the websites they connect to. The researchers have recommended a number of ways that the issues can be fixed. Let’s just hope that happens sooner rather than later. [Ars Technica]
Jessops: It's All Amazon's Fault
Do You Use Encryption?
The Next Horrible Virus Outbreak Might Be Our Fault
I want names.
I want them to tell the app publishers so they can fix the problems – then I want names.
“A “very popular cross-platform messaging service” with an install base of 10 million to 50 million users exposed telephone numbers from the address book.”
What(s) App could that possibly be?
ah shit.
It’ll get fixed like Apple Maps and the world will move on.
This and the source are both equally vague as to whether it is the Apps, the websites or something within Android that is at fault. I also wonder why Android was singled out, If the issue is one of insecure coding, It would surely be a cross platform issue and worth notifying users of those apps on other platforms, not that Any of the apps were named at all which will leave the “millions” allegedly using these apps still in the dark and unsafe.
Android users sign up to the risks associated with a platform that invites hackers to abuse the system, trouble is most none techy folk just don’t know it.. . Tut tut this is very bad.
see my point lower down.
I agree 100% with Darrell. Also Taf when you have 500+million android devices there will be invites for hackers for that large. Much larger share than apple will ever have.
What do you mean singled out? I’m sure they’d report this kind of problem whether it was iOS or Android. It will probably be fixed via the dev kit, stopping the publishing of the app if it has those faults. This must hurt for someone who loves to poke fun at iOS
just proves all the OSs have some sort of problem at some time.
Could not agree more! I think Darrell is hurting and hiding behind the big green dustbin (dusty bin from the 80′s show 321, looks just like the Android robot)
Ahh I’m not poking fun at Android, its just funny to not see iOS as the devil for once and being taken the mick out of by Darrell. I love both iOS and Android but neither are perfect but both are great in my eyes.
You may have misunderstood me, the issue I was stating was that the source is incredibly vague about that the problem was. At no point do they say that it is an Android security issue, just that they only tested Android Apps. This could well mean that Taf, while he thinks he is making points at androids expense is leaking supposedly secure data all over the shop. I do wonder why they haven’t named the Apps and suspect that if/when trhey do, there will be no big names amongst them.
Also for the record, I am fully aware of Androids faults and don’t have a problem admitting that they exist. I also take responsibility for my own actions in installing software rather than trusting in a proven to be fallible app screening process.
You shouldn’t have to be careful of which apps you install your device, just seems like more work than its worth. I think there should be set toolkits that the devs use when creating an app sending/receiving sensitive information. Perhaps these problem apps come under the Unknown sources apps, if so, users should probably not download apps from unknown sources. It is nice to have the security of a screening process however, if the process isn’t perfect and a problem is found, it can be improved.
Saying “you shouldn’t have to be careful which apps you install on your device” is like saying, “you shouldn’t have to be careful what email attachments you open”. There should always be a safety first attitude and irrespective of what OS you use, you should be careful with what you do with it because there have been cases on every OS of apps intentionally or inavertently misbehaving – your data is yours to protect.
I know what you mean there but I meant that it shouldn’t have to be the case not that you don’t need to I meant it as in the ideal world situation. I’m always careful with what I download etc whether it’s on Android or iOS nothing is totally secure, I know that
From the language of this report, its the individual apps implementation of a SSL socket or username/password/key passing over a unencrypted link or such like that’s at fault, not the OS otherwise this would be a much bigger story.
I doubt for a second Apple check every apps authentication source code to check what’s suppose to be encrypted actually is. Unless the API forces everyone down one route (i.e. you can’t open an unencrypted link, unlikely) then iOS apps could easily be doing the same thing, they just weren’t the target of this study.
We know that Apple don’t check if data is secure from the Path App story (path was passing user data to it’s servers unencrypted).
As a programmer with a bit of a security background I can’t see how they possibly could. But good to know there’s an example for Taf’s benefit.
Two guys comments on Reddit have saved me typing any more based on a more detailed but sensationalised story on the BBC site
“Leak? They described a deliberate attack on user’s data. Also, the article states that they have to be on the same WiFi network, or be connected to a ‘fake’ hotspot created by the phone.
Translation: Some apps aren’t using SSL to connect. Should they? Yes. But this is horribly misleading.”
“The article is a bit sensational. This isn’t really an android problem but more of a poorly implemented SSL problem(app developers fault)…”
So am I feeling worried by this… No, now where’s my Key Lime Pie?
Not sure if 4.2 will be KLP as there are conflicting stories and evidence. A .1 upgrade doesn’t always come with version change, it’s going to depend if there is a big enough change to warrant it, also they don’t want to just go using up all the names willynilly or they’ll run out of alphabet.
iPhone RULZ becuz we have teh screening prucess soh we kant get malwarez on our phonez BRO!!!11!!
Asuume you just posted this from your phone from the bang up job iOS Autocorrect did with your post
C’mon Darrel, seriously this was always going to happen, it won’t be the first time or the last time, breaches will continue so long as the gates are left wide open…
But my point is without names of these apps, we cant say if the same app is on iOS and if the problem is in the App rather than the OS. An interesting point about these apps and their quoted install bases is that they could all be Chinese apps (easy to get those numbers in china alone) and while it would be bad for chinese users , would mean exactly squat to any of us.
I have Chinese friends… They will not agree! This also not good for people here…
Well its one of the problems with Android making it so easy to put apps on the market, it’d be hard to check each app with its current process. It will probably be fixed via the app dev kit and that should stop it happening with other apps. Apple has the advantage of having a screening process in this case.
Oh dear oh dear… The fall of the droid! This is what happens when you don’t have a walled garden! No security = most equal plenty of busy lawyers. Who is liable?
Funny how you don’t leap to the defense of any other posts against Apple, Taf.
I’ll just leave this here for you. http://www.theregister.co.uk/2012/10/17/itrack/
Apple aren’t perfect, no denying this is far worse. It’s better to have controlled environment than no control. How can Google test and control application with its current set up to ensure abuse is kept to a minimum?
It depends; I would never trust any mobile phone app (regardless of make/OS) to access my bank account because that is just not my style, but I appreciate that others do and any breach in security should be taken seriously.
If it’s literally an app thing, then liability, if you want to call it that, lies with the developers. To answer your next question, it’s the old “freedom to” vs “freedom from” argument. I would prefer doing a bit of research and having the freedom to chose myself, rather than remaining blissfully ignorant/unaware and having the freedom to chose which apps I want taken from me.
In this situation, there is no doubt that either solution is totally perfect, but a middle ground is yet to be established.
Oddly enough Taf, I’m not sure that the “Walled garden” is the sole reason for the limits on malware iOS, after all ther have been some spectacular fails. There is another gate to entry when it comes to making iOS apps, you need a Apple computer and to pay 4 times as much (compared to Android) for a developer account. When you are stealing information for profit, these costs come off your bottom line. Also there are far more Android users than iOS users, so it makes sense to target them, the same reason it’s better to target desktop malware at Windows rather than OSX
There are plenty of iOS users though, I’m pretty sure they also get targeted too, app development for iOS is generally better though, Android has a more open source approach though and allows anyone to develop apps but its development tools need to improve. I disagree with the not targeting OSX, there have been attacks on OSX but they’re usually patched with software updates.
To Quote tc789′s entry elsewhere in this article
Two guys comments on Reddit have saved me typing any more based on a more detailed but sensationalised story on the BBC site
“Leak? They described a deliberate attack on user’s data. Also, the article states that they have to be on the same WiFi network, or be connected to a ‘fake’ hotspot created by the phone.
Translation: Some apps aren’t using SSL to connect. Should they? Yes. But this is horribly misleading.”
“The article is a bit sensational. This isn’t really an android problem but more of a poorly implemented SSL problem(app developers fault)…”
Oh I meant that I’m sure that these kind of attacks are tried on iOS too, every OS has its weakness but these attacks are mainly tried on iOS and Android as they’re the biggest and most popular. It can only make everyone’s experience better as they will be fixed and people won’t have to worry about the problems.
I doubt it’ll affect many of the Android users but it is something to fix either in the development process or the uploading to market process. Apple has a big advantage with the screening process making sure only apps that meet requirements pass.
This is hardly going to be “the fall of the droid”… and I’d like to bet there are plenty of Apple apps with these kind of vulnerabilities, there’s no way Apple could automate testing for them and there’s even less chance someone’s actually checking every line of code. I expect this study focused on Android as the apps are really easy to reverse engineer or the guys doing it all have Android phones.
Keep your walled garden and severely locked down APIs, found out the other day iOS can’t even give you the nearby hotspot list. Very disappointing when its something that is 5 lines of code in Android. But I guess Apple know best right, right?
(Actually people managed it but their apps got banned from the app store after being approved when Apple either changed their mind or noticed they were using private APIs)
Do you really get generic banking apps on Android? Do banks actually have APIs that 3rd parties can use?