Android apps used by millions vulnerable to password, e-mail theft (opens in new tab)

(arstechnica.com)

19 pointslawlypop13y ago8 comments

8 comments

8 comments · 5 top-level

sturmeh13y ago· 2 in thread

> A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.

WhatsApp would that be?

mike-cardwell13y ago

Possibly. When I originally looked at Kik Messenger back in November 2010, it wasn't using SSL for anything. Even passwords were going over the wire in the clear. In March 2011 they added SSL functionality, but it didn't do any certificate verification. A few months later in June they added appropriate certificate verification. I wrote a small Perl script at the time as a POC which would automatically add signatures to peoples outgoing Kik messages if they were using your network. It even worked with the SSL version of Kik before they added cert verification - https://grepular.com/Advertise_Your_Wifi_in_Your_Customers_K...

sturmeh13y ago

I'm sure quite a few apps do it, I know WhatsApp does it for certain.

MITM your phone and watch the traffic, your entire contact list gets sent through every time you open the application.

CaveTech13y ago· 1 in thread

Sadly not too many details are published. Wouldn't be surprised if the main vulnerability was caused by applications blindly trusting any certificate - which happens to be a fairly common design pattern when dealing with Android. Sadly, a lot of popular signing authorities are not trusted by default in some versions of Android, and it isn't an easy task to get a user to add others.

There's several apps I've used where I've had no choice except to trust all authorities. I know the dangers of this, but I doubt most Android users do.

ge0rg13y ago

Indeed. To add insult to injury, Java's handling of SSL trust verification is a complex beast that is hard to get right.

To mitigate the problem at least a little, you have to jump through hoops. <shamelessplug>I had to write my own (MIT licensed) lib to allow for SSH-style "ask on first use" behavior, which I needed for an XMPP client: https://github.com/ge0rg/memorizingtrustmanager </shamelessplug>

samstokes13y ago

tl;dr: 8% of the top 13k apps don't verify SSL certificates.

The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a "static analysis." Those tests checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."

<snip>

The paper made no attempt to measure the security provided by apps available for Apple's competing iOS platform. One possible reason the researchers focused on Android apps exclusively is that the openness of the Google platform made it easier to perform static analysis. That, in turn, made it possible to zero in on the apps with SSL implementations that exposed sensitive user data. It would be interesting to see the results of a similar analysis performed on the 13,000 most popular iPhone apps.

raverbashing13y ago

Why am I not surprised it's an "anti-virus"

AV software == snake oil

If your system 'needs' an Anti-virus change the way you use it or change it.

avel13y ago

From the examples: " A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book."

This app is surely WhatsApp. There was a thread in hackernews about it not using SSL.

j / k navigate · click thread line to collapse