Tuesday, October 23, 2012

Massive Encryption Faults in Android Apps Used by 185 Million Users exposing Bank Details etc.

Computer science researchers have found that Android apps used by upwards of 185 million people can expose online banking and social network credentials, as well as emails and IM content.
The researchers, from Germany's Leibniz University of Hannover and Philipps University of Marburg, have identified 41 apps available on the Play store which leak sensitive information as it travels between phones and servers. The team recreated real-life app use on a local area network and then used existing security exploits to garner confidential information,
reports Ars Technica. The researchers write:
"We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."
The researchers haven't identified which apps are at fault, though they do note that some of them have been downloaded up to 185 million times. They do hint at the kind of software they found was insecure, though, detailing examples of the vulnerabilities they found. Ars Technica gives a round-up:
  • An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.
  • An app with an install base of 1 million to 5 million users that was billed as a "simple and secure" way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a "broken SSL channel."
  • A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.
  • A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.
Big problems, then, but the descriptions—using language like "generic online banking app"—seem to suggest that these are third-party apps, not official software from the websites they connect to. The researchers have recommended a number of ways that the issues can be fixed. Let's just hope that happens sooner rather than later.

No comments: