Vulnerabilities detected in some apps on Google Play

Computer scientists from Germany’s Leibniz University of Hannover and Philipps University of Marburg have found that apps downloaded by as many… Computer scientists from Germany’s Leibniz University of Hannover and Philipps University of Marburg have found that apps downloaded by as many as 185 million people have been putting to risk online banking and social networking credentials of users, along with their e-mail and instant-messaging contents. While researchers found no evidence indicating that any of the suspicious apps were developed by Google employees, they opine that Google engineers could surely work towards ensuring that Android apps implement the encryption more securely. The paper, presented at this week’s Computer and Communications Security conference, exposes yet another point of failure, which is poor implementation by app developers.” In his statement to Ars Technica, Jon Oberheide, CTO of mobile firm Duo Security added, “All things said, it’s generally good research that should make developers more aware of these basic security deficiencies that shouldn’t have made it through any respectable QA process,” “Needless to say, security isn’t top of mind of most mobile developers.” As part of their research, the scientists downloaded 13,500 free apps from Google Play and put them through a “static analysis”. Researchers found that 1,074 apps, or eight percent of the sample contained “SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.” From the list of 1,074 potentially vulnerable apps, the researchers picked 100, and put them through manual audit.