Hackers cause so many problems and in the long run, end up costing the consumer more money as developers of programs and apps have to put more work and effort into developing a ‘safe’ program for us to use. Back in the day, about the worst thing we did was type in a credit card number to place an online order – but now, most websites want to know everything about you, including your first-born.
Many apps store your credit card information or banking account numbers, besides the usual Date of Birth (DOB), Social Security Number (SSN), address, phone numbers, and more. Security is getting more important than ever as we carry our ‘portable lives’ with us in our smartphones. Banking apps and Banking Wallets will challenge the designers even more to provide a safe environment. We did an article earlier today, about how some apps can do a ‘sneak attack’ on another app – one example was the Chase bank app, where another app was able to capture a picture of your check for deposit!
In this latest study by FireEye Mobile Security Team where they analyzed the top 1,000 most downloaded free Android Apps, they found that 68-percent were susceptible to Man-In-The-Middle (MITM) attacks and contained at least one of three SSL vulnerabilities. The title of the violation fits perfectly – just like a middleman (nobody likes them), the attacker is able to intercept data that is exchanged between your device and the remote server…just sitting there in the middle ready to grab your sensitive information as it is passed throughout the internet.
Many of these vulnerabilities can be traced to within advertising libraries. These ‘libraries’ are used by app developers – you know, the annoying advertisements that pop up in their free applications – these are already sitting there waiting for the app creator to simply insert it in their program…it saves them for having to design the library itself. These SSL ‘libraries’ are often the weak link that allows a MITM attack.
If you look at the chart below – FireEye took a look at three SSL vulnerabilities and out of the 1,000 most downloaded free apps in the Google Play Store, out of the 614 applications that use SSL/TLS to communicate with the remote server: 73-percent did not check certificates and 8-percent used their own hostname verifiers. Of the 285 apps that used Webkit, 77-percent ignored SSL errors that were generated! They also estimated that 40-percent use trust managers that do not check any certificates, leaving the data exchanged with host servers completely open for theft.
FireEye notified the proper app developers and were promised that corrections would be implement in their next upgrade – they sound real worried, don’t they – I wonder if the same problems exist in paid apps where advertising ‘libraries’ would not be needed. Please hit us up on our Google+ Page and let us know if you are concerned – possibly we should contact our app developers and make them aware of the situation. Maybe if they know that we are concerned and watching, they would be more careful…as always, we would love to hear from you.