Researchers compile list of Android apps that allow MitM attacks

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,356
Around 350 Android apps that can be downloaded from Google Play and Amazon stores fail to properly validate SSL certificates for HTTPS connections, and thus open users to Man-in-the-Middle attacks if they use them on insecure and open networks, a researcher with the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University warned.

The vulnerable apps have been discovered via automated testing using the CERT Tapioca testing appliance, and the researchers keep a list of these updated - among them are OKCupid's official app, (ironically) a number of security apps, but most worryingly, a number of e-commerce (sucha as an eBay app for German users) and e-banking apps.

The list is not yet complete. The setup created by the researchers tests only one application at a time, and the testing started only a few weeks ago.

They chose to go public with this information before giving the vendors their usual 45 days to fix the issued because "if an attacker is interested in performing MITM attacks, they're already doing it."

"They've likely set up a rogue access point and are already capturing all of the traffic that passes through it. Further supporting this suspicion is the fact that the FTC has already filed charges against the authors of two mobile applications that fail to validate SSL certificates," pointed out researcher Will Dormann.

"Knowing which specific applications are affected does not give any advantage to an attacker. If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks," he explained the reasoning behind the disclosure.
 

Aura

Level 20
Verified
Jul 29, 2014
966
Is that list available somewhere by the way ?
Would love to see how many popular apps are vulnerable to it.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top