Popular Android Apps Vulnerable to SSL Attacks: Report

Advertisement
By NDTV Correspondent | Updated: 22 August 2014 18:36 IST
Digital security firm FireEye has published a blog post in which it claims that at least 68 percent of the top 1,000 apps in the Google Play store are vulnerable to at least one major SSL security flaw. These apps either do not actually check SSL certificates, use hostname verifiers that do not work, or ignore SSL errors in the Webkit engine which generally signal security problems.

Any of these flaws on its own would be enough to enable a man-in-the-middle (MITM) attack, in which private data could be compromised by a malicious attacker without either users or app developers ever knowing. FireEye's blog post also includes case studies involving MITM attacks actually carried out as proofs of concept, but without actually intercepting any sensitive information.

According to the firm, 448 of the top 1,000 apps do not check certificates when using SSL to communicate with a remote server. Fifty apps use their own hostname verifiers which do not do anything, which means that information is transmitted without verifying that the application is connected to the server specified in the certificate issued by a certifying authority. A further 219 ignore SSL errors in Webkit, which means that known vulnerabilities can be exploited.

In a further study of 10,000 randomly selected apps in the app store, it was found that the corresponding figures were roughly 4,000, 750, and 1,300 for the three problematic behaviours respectively.

FireEye has published two case studies involving advertising libraries which are widely integrated into popular apps, and which are the sources of the problem. Both Flurry and Chartboost, which are used in thousands of apps, have since issued patches which resolve the problems. In these cases, app developers themselves might have been unaware of the potential risks of adopting these third-party ad frameworks.

A single popular app, Camera360 Ultimate, with more than 250 million users, was also vulnerable till an update was released following FireEye's study. Another app which has over 100 million users but has not been patched yet was described but not named in the report.

SSL vulnerabilities have been in the news this year, especially the massive Heartbleed bug which threatened to undermine the standard itself. FireEye's report relates to apps which did not implement SSL properly.
Post your comments

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: FireEye, Internet security, SSL, SSL Vulnerability, security
Computers Reshaping Global Job Market, for Better and Worse: Paper
Smartphones Can Help Detect Irregular Heartbeat
Advertisement

Related Stories

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Starlink Will Offer Unlimited Satellite Internet in India at This Price
  2. Jolla Phone Launched With 5,500mAh Replaceable Battery, Sailfish OS 5
  3. OnePlus 15R Roundup: Price in India, Specs and Everything We Know So Far
  4. Motorola Edge 70 With 5.99mm Slim Profile Will Launch in India on This Date
  5. Realme Narzo 90 Series 5G India Launch Announced
  6. Infinix Note 60, Note 60 Edge, Note 60 Pro Reportedly Spotted on SDPPI Website
  7. 'High' Risk Vulnerabilities Discovered in Google Chrome and Edge Browsers
  8. Gemini 3 Deep Think Model Is Now Available to These Users
  9. Sierra First Impressions: Tata's Icon Returns in Style
  10. Oppo Find X9 Is Now Available in India in This Colour Option
#Latest Stories
  1. Elon Musk Says Grok 4.20 AI Model Could Be Released in a Month
  2. Xiaomi 17 Global Variant Listed on Geekbench, Tipped to Launch in India by February 2026
  3. James Gunn's Superman to Release on JioHotstar on December 11: What You Need to Know
  4. The Boys Season 5 OTT Release Date: When and Where to Watch the Final Season Online?
  5. The Strangers Chapter 2 Now Available on Rent on Amazon Prime Video, Apple TV, and More
  6. Meta Acquires AI Wearables Startup Limitless, Could Expand Its Hardware Offerings
  7. Airtel Reportedly Partners With Google to Launch RCS Messaging for Users in India
  8. Jolla Phone Launched With 5,500mAh Replaceable Battery, Linux-Based Sailfish OS 5: Price, Availability, Features
  9. CERT-In Warns Chrome, Edge Users of ‘High’ Risk Vulnerabilities on Windows, macOS, and Linux
  10. Coinbase Reopens Registrations in India, Plans Fiat On-Ramp in 2026
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.