AfterDawn: Tech news

Android apps flawed - leak personal information

Written by James Delahunty @ 22 Oct 2012 6:43 User comments (3)

Android apps flawed - leak personal information Hundreds of apps found to be vulnerable to "man in the middle" attacks.
Research conducted at the University of Leibniz in Hanover and the computer science department at the Philipps University of Marburg, found that hundreds of Android apps can leak personal or sensitive information. The researchers tested 13,500 Android apps from the Google Play store, and found that 8 percent of them failed to protect bank account details, or social media login details, adequately, due to SSL weaknesses.

The test utilized a crafted attack tool and a fake Wi-Fi hotspot to spy on data transmitted from the apps. In many cases, the researchers were able to retrieve login credentials for banking, email, social media or corporate networks. They could also disable security programs or spoof them into labelling secure apps as infected, and in cases could even inject code into the data stream and force apps to carry out specific commands.



Since the researchers intentionally focused on popular apps, some of the tested apps have clocked up millions of downloads.

Read more (PDF): http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

Previous Next  

3 user comments

122.10.2012 19:21

Snippet from the article regarding apps they tested (in case you don't want to dig...all these had SSL weaknesses):

Amazon MP3 10-50 million
Chrome 0.5-1 million
Dolphin Browser HD 10-50 million
Dropbox 10-50 million
Ebay 10-50 million
Expedia Bookings 0.5-1 million
Facebook Messenger 10-50 million
Facebook 100-500 million
Foursquare 5-10 million
GMail 100-500 million
Google Play Market All Phones
Google+ 10-50 million
Hotmail 5-10 million
Instagram 5-10 million
OfficeSuite Pro 6 1-5 million
PayPal 1-5 million
Yahoo! Messenger 10-50 million
Yahoo! Mail 10-50 million

223.10.2012 00:19

There is an android app you can install on your phone and make a fake wifi hotspot and steal all of someones data that connects through you. I don't remember what it is called.

This message has been edited since its posting. Latest edit was made on 23 Oct 2012 @ 12:20

323.10.2012 00:24

the same may be true for other mobile apps in other mobile OSs, too. the bottomline is that you don't want to use your mobile apps for transactions that needs high security level.

Comments have been disabled for this article.

News archive