Results 1 to 8 of 8
  1. #1
    Editor in Chief
    Supporting Member

    Member #
    4
    Join Date
    Apr 2011
    Tablet
    None
    Posts
    722
    Liked
    142 times

    Researchers find 1,000 insecure Android apps; SSL Vulnerabilities Expose Data


    According to a new study by German researchers from Leibniz University in Hannover and Philipps University of Marburg, a large swath of Android apps apparently do not implement their SSL correctly. The researchers sampled 13,000 apps and found that 1,000 of them exposed users' personal data. Here's a quote with a few more details,

    In this paper (PDF), the researchers from Leibniz University in Hannover and Philipps University of Marburg found that 17 percent of the SSL-using apps in their sample suffered from implementations that potentially made them vulnerable to man-in-the-middle MITM attacks.


    They state that they were “able to capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime”.

    In addition, since virus software also uses SSL, “We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”
    The researchers were able to determine that it wasn't really a flaw in Android, so much as it was sloppy or lazy implementation of the SSL. This seems rather disturbing. What do you guys think?

    Thanks for the tip, furbearingmammal!

    Source: Android apps get SSL wrong, expose personal data ? The Register

  2. #2
    Guide Guru & Forum Administrator
    Supporting Member

    Member #
    12453
    Join Date
    Oct 2011
    Location
    Devon, UK
    Tablet
    Other - Chromebook
    Posts
    14,013
    Liked
    2826 times
    Thanks for the heads up dgstorm. I've updated our FAQ on Security with this sad information.

    A link to the FAQ is in my signature.

    PLEASE Search for existing threads before posting a new one. Thanks.

    Your opinion matters. But should you disagree - please try not to be disagreeable

    Forum guide - here ~~ T100 FAQs - here ~~ Cold boot - here

    Adobe Flash Player & Browser Guide here

    Master Help Guide - here ~~ FAQ malware - here ~~ FAQ e-reading - here
    Mobile OS devices personal pantheon...
    ANDROID: Doogee DG310; SGS; Huawei Y300; Motoroloa Xoom 2ME; Razr; Defy Mini; CnM Touchpad II;
    Asus TF101; Lenovo A1; Samsung Tab 2 7.0
    APPLE: iPhone 4s; iPhone 5c; iPhone 6; iPhone 7; iPad 3; iPad Mini 2; iPad Air 2 64gb
    CHROMEBOOK: HP 14-Q010sa Celeron 14 Inch 4GB 16GB Chromebook - White.

  3. #3
    Shockwave
    Member #
    22916
    Join Date
    Jan 2012
    Location
    Statesville NC
    Tablet
    TF700
    Posts
    624
    Liked
    80 times
    After seeing this I went to google wallet and deleted my credit card info. Sad...
    Not Your Father's Stock TF700T - KatKiss Is ON!
    Thanks to timduru - droidbound - kevinthefixer!

  4. #4
    Super Moderator & Forum Sleuth
    Supporting Member

    Member #
    26017
    Join Date
    Feb 2012
    Location
    toronto, ca
    Tablet
    TF201
    Posts
    3,441
    Liked
    1118 times
    I've always used a disposable credit card #...still, this is disconcerting to say the least.

    perhaps MITM should've been...monkey in the middle.

  5. #5
    Guide Guru & Forum Administrator
    Supporting Member

    Member #
    12453
    Join Date
    Oct 2011
    Location
    Devon, UK
    Tablet
    Other - Chromebook
    Posts
    14,013
    Liked
    2826 times
    To be 100% fair, I think you guys need to read between the lines a little.
    If you do, you will see that a security app released by connected parties will "fix" this issue - & I have not found this issue raised anywhere else by any other security company, so I wouldn't personally get too concerned...

    The researchers say the tool they developed for scanning apps’ SSL implementations, MalloDroid, will be available as a Web app and as part of the Androguard security scanner. ®
    Last edited by janner43; 10-23-2012 at 03:21 AM.

    PLEASE Search for existing threads before posting a new one. Thanks.

    Your opinion matters. But should you disagree - please try not to be disagreeable

    Forum guide - here ~~ T100 FAQs - here ~~ Cold boot - here

    Adobe Flash Player & Browser Guide here

    Master Help Guide - here ~~ FAQ malware - here ~~ FAQ e-reading - here
    Mobile OS devices personal pantheon...
    ANDROID: Doogee DG310; SGS; Huawei Y300; Motoroloa Xoom 2ME; Razr; Defy Mini; CnM Touchpad II;
    Asus TF101; Lenovo A1; Samsung Tab 2 7.0
    APPLE: iPhone 4s; iPhone 5c; iPhone 6; iPhone 7; iPad 3; iPad Mini 2; iPad Air 2 64gb
    CHROMEBOOK: HP 14-Q010sa Celeron 14 Inch 4GB 16GB Chromebook - White.

  6. #6
    Starscream
    Member #
    12689
    Join Date
    Oct 2011
    Posts
    358
    Liked
    33 times

    Re: Researchers find 1,000 insecure Android apps; SSL Vulnerabilities Expose Data

    I wish I could find the article again but it was on android central and they had similar results but it was with odd ball third party apps. So for example if you want a PayPal app use the app made by PayPal and not a third party.

    Sent from my Nexus 7
    TF101 Transformer 32Gb

  7. #7
    Supporting Member
    Supporting Member

    Member #
    1793
    Join Date
    Jun 2011
    Location
    Vancouver Canada
    Tablet
    TF Book T102HA
    Posts
    5,903
    Liked
    1225 times
    This "SSL/Man in the middle" problem applies to all platforms that use SSL. These security firms and their "researchers" are always trying to scare people.
    Last edited by Swipe; 10-25-2012 at 02:31 AM.

  8. #8
    Ironhide
    Member #
    7311
    Join Date
    Aug 2011
    Location
    Ontario, Canada
    Tablet
    TF700
    Posts
    1,289
    Liked
    135 times
    Quote Originally Posted by Swipe View Post
    This "SSL/Man in the middle" problem applies to all platforms that use SSL. These security firms and their "researchers" are always trying to scare people.
    Yes.....I have a friend who is a networking specialist, and deals with security in a practical matter. His general advice? If you have information that you don't want people to see, never put it in the Cloud, because, ultimately, no matter what they say for security policies, accidents (or human interference) happen. Be careful with financial info you use online through *any* device. Many of us put *alot* of personal info on our phones, and regardless of man in the middle problems, it's even easier for you to get mugged at a bug stop, and have your phone end up on some cracker's desk, where he hacks into and extracts all the info you put into it.

    Be aware of what your risks are. This goes for Android, iOS, Blackberry, etc. etc.

    PAB5204
    ASUS TF700 and dock
    Linksys E4200 Router
    Galaxy S3
    iPhone 4S
    iPad Gen 1

 

 

Remove Ads

Sponsored Links

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Similar Threads

  1. Replies: 2
    Last Post: 04-10-2012, 01:29 AM
  2. A case that doesn't expose the inside when opened...
    By opentoe in forum Transformer Prime Accessories
    Replies: 0
    Last Post: 03-22-2012, 09:28 PM
  3. Replies: 44
    Last Post: 08-02-2011, 02:44 PM
  4. Cant find downloaded apps
    By beekeeper in forum Asus Transformer (TF101) Help
    Replies: 7
    Last Post: 07-04-2011, 02:35 PM

Search tags for this page

androguard the prime
,
android ssl virus
,
android tablet insecure
,
cold boot android app
,
insecure ssl implementations on android apps
,
prime androguard forum
,

ssl insecure news

Click on a term to search for related topics.
Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.
Search Engine Optimization by vBSEO 3.6.1
All times are GMT -6. The time now is 05:11 AM.