ID: IRCNE2012101655
Date: 2012-10-27
According to "zdnet", research has shown that thousands of popular apps in the Google Play store may leave sensitive information exposed.
A paper released by researchers from Leibniz University in Hannover and Philipps University of Marburg, found that 17 percent of the Secure Sockets Layer (SSL)-using apps analyzed in a study -- biased towards free, popular applications -- were vulnerable to man-in-the-middle MITM attacks.
Man-in-the-middle attacks are similar to eavesdropping -- when an attacker intercepts messages, fakes authentication and may inject new information while impersonating a different source.
1,074 apps in a sample of 13,500 contained flaws in their SSL implementation, the researchers stating that these apps contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks".
Through the attacks, data was fraudulently captured including "credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo,Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts." In addition, the team wrote:
"Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."
It was also possible to remotely inject and execute code in an app created by a vulnerable app-building framework.
A follow-up survey of 754 participants suggested that many app developers are not making security indicators clear enough to users -- and so may not recognize the difference between a secure or open browser session.
- 2