While there have been numerous studies seeking to find and understand Android malware, this study examined benign Android apps that could be exploited by third parties. The subject of the study is SSL and its successor TLS, the protocols used to secure internet communications. Since communications and the internet lie at the heart of Android use, many apps quite legitimately seek internet permissions; but users have no way of knowing whether the communications are secure. “This paper,” say the researchers, “seeks to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit.”
The researchers examined 13,500 popular free apps from Google Play. To help their analysis they developed their own tool, called MalloDroid, to perform a static analysis of the apps’ code, and found that “1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks.” To confirm these findings, they selected 100 apps for manual investigation, and were able to “successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data.”
The purpose of SSL/TLS is to secure communication between the user and the destination website. If this isn’t done, or is implemented insecurely, attackers can sit between the user and the website (hence ‘man-in-the-middle’) and read the data that passes. During the manual tests, the researchers “were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.”
A separate survey of 754 Android users indicated a wide lack of understanding about SSL security. 378 users did not accurately judge the security state of a browser session, while 419 had not seen a certificate warning, and even then considered the risk to be medium or low.
The combination of a poor understanding about SSL, Android’s open approach to app development, and insecure SSL implementations means that many millions of users are exposed to MITM attacks. “The cumulative number of installs of apps with confirmed vulnerabilities against MITM attacks is between 39.5 and 185 million users, according to Google’s Play Market,” say the researchers. They outline several avenues for future research to solve or at least alleviate the problem, but will in the meantime, they say, “provide a MalloDroid Web App and will make it available to Android users.” With this app, users will at least know whether the apps they use are susceptible to MITM.