Popular Android Apps Vulnerable to SSL Attacks: Report

Advertisement
By NDTV Correspondent | Updated: 22 August 2014 18:36 IST
Popular Android Apps Vulnerable to SSL Attacks: Report
Digital security firm FireEye has published a blog post in which it claims that at least 68 percent of the top 1,000 apps in the Google Play store are vulnerable to at least one major SSL security flaw. These apps either do not actually check SSL certificates, use hostname verifiers that do not work, or ignore SSL errors in the Webkit engine which generally signal security problems.

Any of these flaws on its own would be enough to enable a man-in-the-middle (MITM) attack, in which private data could be compromised by a malicious attacker without either users or app developers ever knowing. FireEye's blog post also includes case studies involving MITM attacks actually carried out as proofs of concept, but without actually intercepting any sensitive information.

According to the firm, 448 of the top 1,000 apps do not check certificates when using SSL to communicate with a remote server. Fifty apps use their own hostname verifiers which do not do anything, which means that information is transmitted without verifying that the application is connected to the server specified in the certificate issued by a certifying authority. A further 219 ignore SSL errors in Webkit, which means that known vulnerabilities can be exploited.

In a further study of 10,000 randomly selected apps in the app store, it was found that the corresponding figures were roughly 4,000, 750, and 1,300 for the three problematic behaviours respectively.

FireEye has published two case studies involving advertising libraries which are widely integrated into popular apps, and which are the sources of the problem. Both Flurry and Chartboost, which are used in thousands of apps, have since issued patches which resolve the problems. In these cases, app developers themselves might have been unaware of the potential risks of adopting these third-party ad frameworks.

A single popular app, Camera360 Ultimate, with more than 250 million users, was also vulnerable till an update was released following FireEye's study. Another app which has over 100 million users but has not been patched yet was described but not named in the report.

SSL vulnerabilities have been in the news this year, especially the massive Heartbleed bug which threatened to undermine the standard itself. FireEye's report relates to apps which did not implement SSL properly.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Top Smartphones Under Rs 30,000 in India (June 2025): Check List
  2. Poco F7 Spotted on Geekbench With Snapdragon 8s Gen 4, 12GB of RAM
  3. Infinix GT 30 Pro 5G Goes on Sale in India: See Launch Offers
  4. Nothing Phone 3 to Be Manufactured in India, Company Reveals Model Number
  5. LOx Leak in Falcon 9 Delays Axiom-4 Launch Carrying Indian Astronaut
  6. iPhone 17 Roundup: Price, Specifications and Everything We Know So Far
  7. OnePlus Nord 5 Allegedly Spotted on Geekbench With This Chipset
  1. Nintendo Switch 2 Closer to Xbox Series S Than PS4 in Power, Says Koei Tecmo
  2. Nothing Phone 3 to Be Manufactured in India, Company Reveals Portion of Rear Panel With Model Number
  3. Infinix GT 30 Pro 5G Now Available for Purchase in India: Price, Specifications, Offers
  4. Axiom-4 Mission Carrying Indian Astronaut Shubhanshu Shukla Reportedly Delayed Due to LOx Leak
  5. Apple to Reportedly Use AI-Powered Tags to Improve App Discoverability on the App Store
  6. Poco F7 With Snapdragon 8s Gen 4 SoC Surfaces on Geekbench After Company Hints at Imminent Launch
  7. Realme Narzo 80 Lite 5G India Launch Date Set for June 16
  8. OnePlus Nord 5 Allegedly Visits Geekbench With Snapdragon 8s Gen 3 SoC, 12GB of RAM
  9. US Senators Seek Details on Meta's Stablecoin Plans as GENIUS Act Stands Close to Approval
  10. Disney, Universal Sue Image Creator Midjourney for Copyright Infringement
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.