By Eduard Kovacs on September 04, 2014
The CERT Coordination Center at Carnegie Mellon University (CERT/CC) has published a list of popular Android applications that fail to properly validate SSL certificates, exposing users to man-in-the-middle (MitM) attacks.
The issue of Android apps failing to validate SSL certificates is not new. A couple of years ago, researchers in Germany published a paper based on the analysis of 13,500 popular free applications with the aid of MalloDroid, a tool that's designed to detect broken SSL certificate validation in Android programs. The researchers warned at the time that 8% of the analyzed apps contained SSL/TLS code that was potentially vulnerable to MitM attacks, but CERT says the experts didn't actually alert the developers of the impacted applications.
More recently, researchers at FireEye analyzed 1,000 of the most popular free apps offered on Google Play and found that 68% of them are vulnerable because they either don't check server certificates, they ignore SSL errors in WebKit, or they don't verify the hostnames of servers. The applications are exposed to attacks due to vulnerable libraries (such as the Flurry and Chartboost ad libraries), or they are inherently vulnerable. FireEye said it had notified developers, who took steps to secure their products, but CERT pointed out that with the exception of a few cases, the security firm did not name the affected applications, or the authors who were alerted
SecurityWeek/ full article here/ http://www.securityweek.com/cert-warns-android-apps-vulnerable-mitm-attacks
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.