Popular Android Apps Vulnerable to SSL Attacks: Report

Advertisement
By NDTV Correspondent | Updated: 22 August 2014 18:36 IST
Popular Android Apps Vulnerable to SSL Attacks: Report
Digital security firm FireEye has published a blog post in which it claims that at least 68 percent of the top 1,000 apps in the Google Play store are vulnerable to at least one major SSL security flaw. These apps either do not actually check SSL certificates, use hostname verifiers that do not work, or ignore SSL errors in the Webkit engine which generally signal security problems.

Any of these flaws on its own would be enough to enable a man-in-the-middle (MITM) attack, in which private data could be compromised by a malicious attacker without either users or app developers ever knowing. FireEye's blog post also includes case studies involving MITM attacks actually carried out as proofs of concept, but without actually intercepting any sensitive information.

According to the firm, 448 of the top 1,000 apps do not check certificates when using SSL to communicate with a remote server. Fifty apps use their own hostname verifiers which do not do anything, which means that information is transmitted without verifying that the application is connected to the server specified in the certificate issued by a certifying authority. A further 219 ignore SSL errors in Webkit, which means that known vulnerabilities can be exploited.

In a further study of 10,000 randomly selected apps in the app store, it was found that the corresponding figures were roughly 4,000, 750, and 1,300 for the three problematic behaviours respectively.

FireEye has published two case studies involving advertising libraries which are widely integrated into popular apps, and which are the sources of the problem. Both Flurry and Chartboost, which are used in thousands of apps, have since issued patches which resolve the problems. In these cases, app developers themselves might have been unaware of the potential risks of adopting these third-party ad frameworks.

A single popular app, Camera360 Ultimate, with more than 250 million users, was also vulnerable till an update was released following FireEye's study. Another app which has over 100 million users but has not been patched yet was described but not named in the report.

SSL vulnerabilities have been in the news this year, especially the massive Heartbleed bug which threatened to undermine the standard itself. FireEye's report relates to apps which did not implement SSL properly.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Mozilla's Pocket Shuts Down in July: Try These Four Pocket Alternatives
  1. WhatsApp Reportedly Developing Unified Chat Media Hub Feature for Web Client
  2. OnePlus 13s to Arrive With Support for OnePlus AI Suite; Plus Key Details Revealed Ahead of Launch
  3. Moto G56 5G Specifications Reportedly Listed on Company's Websites Ahead of Global Launch
  4. Samsung Galaxy S25 Edge Begins Shipping to Customers During Pre-Order Window: Price, Specifications
  5. OnePlus Ace 5 Ultra With MediaTek Dimensity 9400+ SoC Launched Alongside Ace 5 Racing Edition
  6. Xiaomi Mix Flip 2 Launch Timeline Leaked; Tipped to Arrive With Snapdragon 8 Elite Chipset
  7. Elon Musk Says X Money Payments Will Launch in 'Very Limited Access Beta' Soon
  8. Dubai's Real Estate Tokenisation Pilot Goes Live on Dedicated Platform Prypco Mint: Details
  9. Oppo Reno 14, Reno 14 Pro India Launch Timeline and Colourways Leaked
  10. Quantum Tech Could Finally Let Astronomers Snap Direct Images of Earth-Like Exoplanets
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.