Digital security firm FireEye has published a blog post in which it claims that at least 68 percent of the top 1,000 apps in the Google Play store are vulnerable to at least one major SSL security flaw. These apps either do not actually check SSL certificates, use hostname verifiers that do not work, or ignore SSL errors in the Webkit engine which generally signal security problems.
Any of these flaws on its own would be enough to enable a man-in-the-middle (MITM) attack, in which private data could be compromised by a malicious attacker without either users or app developers ever knowing.
FireEye's blog post also includes case studies involving MITM attacks actually carried out as proofs of concept, but without actually intercepting any sensitive information.
According to the firm, 448 of the top 1,000 apps do not check certificates when using SSL to communicate with a remote server. Fifty apps use their own hostname verifiers which do not do anything, which means that information is transmitted without verifying that the application is connected to the server specified in the certificate issued by a certifying authority. A further 219 ignore SSL errors in Webkit, which means that known vulnerabilities can be exploited.
In a further study of 10,000 randomly selected apps in the app store, it was found that the corresponding figures were roughly 4,000, 750, and 1,300 for the three problematic behaviours respectively.
FireEye has published two case studies involving advertising libraries which are widely integrated into popular apps, and which are the sources of the problem. Both Flurry and Chartboost, which are used in thousands of apps, have since issued patches which resolve the problems. In these cases, app developers themselves might have been unaware of the potential risks of adopting these third-party ad frameworks.
A single popular app, Camera360 Ultimate, with more than 250 million users, was also vulnerable till an update was released following FireEye's study. Another app which has over 100 million users but has not been patched yet was described but not named in the report.
SSL vulnerabilities have been in the news this year, especially the massive
Heartbleed bug which threatened to undermine the standard itself. FireEye's report relates to apps which did not implement SSL properly.