Popular Android Apps Vulnerable to SSL Attacks: Report

Advertisement
By NDTV Correspondent | Updated: 22 August 2014 18:36 IST
Digital security firm FireEye has published a blog post in which it claims that at least 68 percent of the top 1,000 apps in the Google Play store are vulnerable to at least one major SSL security flaw. These apps either do not actually check SSL certificates, use hostname verifiers that do not work, or ignore SSL errors in the Webkit engine which generally signal security problems.

Any of these flaws on its own would be enough to enable a man-in-the-middle (MITM) attack, in which private data could be compromised by a malicious attacker without either users or app developers ever knowing. FireEye's blog post also includes case studies involving MITM attacks actually carried out as proofs of concept, but without actually intercepting any sensitive information.

According to the firm, 448 of the top 1,000 apps do not check certificates when using SSL to communicate with a remote server. Fifty apps use their own hostname verifiers which do not do anything, which means that information is transmitted without verifying that the application is connected to the server specified in the certificate issued by a certifying authority. A further 219 ignore SSL errors in Webkit, which means that known vulnerabilities can be exploited.

In a further study of 10,000 randomly selected apps in the app store, it was found that the corresponding figures were roughly 4,000, 750, and 1,300 for the three problematic behaviours respectively.

FireEye has published two case studies involving advertising libraries which are widely integrated into popular apps, and which are the sources of the problem. Both Flurry and Chartboost, which are used in thousands of apps, have since issued patches which resolve the problems. In these cases, app developers themselves might have been unaware of the potential risks of adopting these third-party ad frameworks.

A single popular app, Camera360 Ultimate, with more than 250 million users, was also vulnerable till an update was released following FireEye's study. Another app which has over 100 million users but has not been patched yet was described but not named in the report.

SSL vulnerabilities have been in the news this year, especially the massive Heartbleed bug which threatened to undermine the standard itself. FireEye's report relates to apps which did not implement SSL properly.

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. OTT Releases This Week: Elle, Super Subbu, Enola Holmes 3, and More
  2. Here's Our First Look of the Nothing Phone 4b 'RCB Edition' Variant
  3. Moto G77 Power Will Launch in India on This Date
  4. Oppo Reno 16, Reno 16c Make Their Debut in India at These Prices
  5. Amazon Prime Day Sale: Early Deals on Smartphones From Top Brands Revealed
  6. CMF's Himanshu Tandon Departs Firm After a 10-Month Stint
  1. PS Plus Monthly Games for July Include Call of Duty: Modern Warfare 3, For the King 2 and CrossCode
  2. Nothing Phone 4b RCB Edition Design, Colour Revealed Days Ahead of Debut
  3. Garmin Forerunner 70, Forerunner 170, Forerunner 170 Music Launched in India With 1.2-Inch Display, Up to 13 Days Battery Life
  4. Redmi Note 17 Series Launch Timeline Teased, Company Touts Display Upgrades and Longer Battery Life
  5. Lava Probuds T51, Xscape 13° Neckband With Up to 70 Hours Battery Life Launched in India: Price, Features
  6. Best Noise Cancellation Headphones in India to Buy This Amazon Prime Day: boAt Rockerz 650 Pro, JBL Tune 520 BT and More
  7. Oppo Enco Air 5 With Up to 52dB ANC, Up to 54 Hours Battery Launched in India: Price, Features
  8. Apple Reportedly Cuts iPhone 17 Series Production Plans by 15 Percent as Demand Softens
  9. Moto G77 Power Set to Launch in India Next Week; Price Range, Specifications Revealed
  10. CMF's Himanshu Tandon Announces Exit Weeks After Firm Confirms 2026 Phone Strategy
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.