The most common approach to protect data during communication on the Android platform is to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. Thousands of applications in the Google Play market that are using these implementations.

A group of researchers including Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith from Distributed Computing & Security Group - Leibniz University of Hannover, Hannover, Germany and Lars Baumgärtner, Bernd Freisleben from Department of Math. & Computer Science - Philipps University of Marburg, Marburg, Germany, have presented a paper that  most of these applications contain serious mistakes in the way that SSL/TLS is implemented, that leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information.

Tests performed on 100 selected apps confirmed that 41 of them were vulnerable to known attacks. The team also built a proof-of-concept tool called MalloDroid that was designed to find the potentially exploitable SSL bugs in Android apps, which they then investigated further to determine whether an attack was in fact possible.

They have successfully captured credentials of American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime.

It was possible to remotely inject and execute code in an app created by a vulnerable app-building framework," the authors wrote in their paper, "Why Eve and Mallory Love Android: An Analysis of Android (In)Security".

It is important to understand the potential risks and then make sure you are fully protected against them. To know more about What SSL is , Download Whitepaper - "Beginner Guide to SSL Certificates".

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
أحدث أقدم