Some Android apps can be tricked into leaking personal information from their users' phones, German researchers report.
The new study from researchers in the distributed computing and security group at the University of Leibniz in Hanover and the computer science department at the Philipps University of Marburg, who tested 13,500 Android apps, found that nearly 8 percent of the programs did not adequately protect user data such as logins for bank accounts and social media.
The study asserted that many of these apps proved easy to crack because they failed to use standard scrambling software such as Secure Sockets Layer (SSL) or Transport Security Layer (TSL), which left them open to so-called “man-in-the-middle (MITM) attacks.” These are opportunistic information collection operations made possible when data are revealed in transit between the user’s mobile device and the website or service being accessed.
The researchers conducted the study by creating a fake Wi-Fi hotspot and custom software developed to essentially spy on the data transmitted through apps on the wireless network. The study found that of the 13,500 apps tested, some 1,074 were “potentially vulnerable to MITM” attacks. Choosing 100 for “manual audit,” the researchers were able to steal data from 41 of them.
“From these 41 apps, we were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others,” the report states.
The researchers also found they could disable security programs or otherwise hack the apps, thereby forcing them to carry out specific commands despite the owner’s intentions.
The study added that the “cumulative install base of the apps with confirmed vulnerabilities against MITM attacks lies between 39.5 and 185 million users, according to Google's Play Market.”
A follow-up survey of 754 people suggests users often could not to tell whether they were at risk.
"About half of the participants could not judge the security state of a browser session correctly," the researchers wrote.
"Most importantly, research is needed to study which counter-measures offer the right combination of usability for developers and users, security benefits and economic incentives to be deployed on a large scale," the report concluded.