Most mobile users trust that apps from legitimate, high-profile companies – like banking or shopping apps – will handle their sensitive data with care, but a new study says that even encryption technology might not be enough to secure your favorite apps.
Researchers from Philipps University and Leibniz University in Germany examined 13,500 free apps from Google Play and found that about 8 percent contained encryption technology that was vulnerable to “Man in the Middle” (MITM) attacks – where the scammer intercepts data as it travels between the user and its intended target.
The researchers picked out 100 apps for manual audit and were able to successfully carry out MITM attacks against 41 of them, despite them being protected by encryption technologies like SSL/TLS.
“From these 41 apps, we were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others,” the researchers said in a paper that described their experiment.
They were also able to “inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”
Their report did not specify which apps were examined, except to say that they focused on popular apps and those that were perceived as secure.
“Instead of malicious apps, we investigate potential security threats posed by benign Android apps that legitimately process privacy-related user data, such as log-in credentials, personal documents, contacts, financial data, messages, pictures, or videos,” the paper said.
Researchers concluded that the cumulative install base of apps with confirmed vulnerabilities against MITM attacks was between 39.5 and 185 million users. “This number includes 3 apps with install bases between 10 and 50 million users each,” the report said.
Furthermore, researchers conducted an online poll of 754 app users and found that half were not able to correctly judge whether their browsing sessions were encrypted.
Google did not immediately respond to a request for comment. But researchers acknowledged that “Android software development and the Google Play Market are relatively open and unrestricted.” Unlike Apple’s App Store, Google does not have an approval process in place, allowing any developer to publish their app on the store. This creates more openness and app options, but can make users vulnerable to spammy or malicious apps.
In February, Google unveiled Bouncer, which automatically scans new and existing Android apps as well as developer accounts without requiring an application approval process. It then alerts the developer to possible problems with their apps.
Last week, meanwhile, there were reports that Google is developing a built-in malware scanner for Android devices. It appears that Android devices might one day be able to check out the apps you have installed or are going to install on your phone and warn you if it finds something suspicious.!!