James Delahunty
22 Oct 2012 18:43
Hundreds of apps found to be vulnerable to "man in the middle" attacks.
Research conducted at the University of Leibniz in Hanover and the computer science department at the Philipps University of Marburg, found that hundreds of Android apps can leak personal or sensitive information. The researchers tested 13,500 Android apps from the Google Play store, and found that 8 percent of them failed to protect bank account details, or social media login details, adequately, due to SSL weaknesses.
The test utilized a crafted attack tool and a fake Wi-Fi hotspot to spy on data transmitted from the apps. In many cases, the researchers were able to retrieve login credentials for banking, email, social media or corporate networks. They could also disable security programs or spoof them into labelling secure apps as infected, and in cases could even inject code into the data stream and force apps to carry out specific commands.
Since the researchers intentionally focused on popular apps, some of the tested apps have clocked up millions of downloads.
Read more (PDF): http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf