Researchers at two German universities are warning that almost 8 percent of Android apps contain significant errors in the implementation of SSL/TLS.
"Developers commonly embrace SSL or TLS to protect data during communication on the Android platform, according to the researchers; unfortunately, developers don't always implement SSL correctly for its intended usage and threat environment," writes InfoWorld's Ted Samson.
"The researchers from the Leibniz University of Hanover and the Philipp University of Marburg, Germany, found that of the 13,500 apps analysed, 1,074 contained code that was potentially vulnerable to a man-in-the-middle (MITM) attack," writes ZDNet's Michael Lee. "This particular type of attack intercepts regular traffic, then inspects and/or modifies the data before passing it on to its intended destination without either of the original parties knowing."
"In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials," writes Threatpost's Dennis Fisher.
"The problems arise because of developers misusing the SSL settings the Android API offers," writes The Register's Richard Chirgwin. "Examples given by the researchers including apps that are instructed to trust all certificates presented to them (21 of 100 apps selected for a MITM test); 20 of the MITM-tested apps were configured to accepts certificates regardless of its associated hostname (for example, an app connecting to PayPal would accept a certificate from another domain). Other issues included SSL stripping and 'lazy' SSL implementations."
"While SSL is generally considered to be secure, the problems of improper SSL implementation, which can render its inherent encryption useless or expose sensitive information, has long been known," writes FierceCIO's Paul Mah. "In a report last year on how improper SSL implementations are widespread, a study conducted by Qualys found that only one-fifth of 250,000 SSL-enabled sites that were surveyed were properly redirecting users to SSL for authentication."