8% of apps on Google Play potentially threaten user security
German scientists (yes, yes, this time their British colleagues have nothing to do with it!) Have just published the results of a recent study of the safety of Android applications hosted on Google Play. A short story on Mashable about the study with a little talking video presentation and a flashy headline Study Reveals Android Apps Leak Personal Data made me turn to the original source .
In short, it turned out the following (hereinafter - the translation of the summary of the report):
1,074 applications out of 13,500 examined use SSL when sending personal data (logins, passwords, billing information, etc.), but at the same time either accept any certificates without verification, or any host names for certificates, and therefore may be vulnerable to attacks like man-in-the-middle (MITM).
')
41 applications out of 100 selected for more detailed manual testing turned out to be in fact vulnerable to such attacks due to incorrect work with SSL.
The total number of users who have these applications installed on smartphones for which the presence of vulnerabilities has been confirmed by testing - from 39.5 to 185 million people according to Google Play Market. Among these applications, there are three, each of which has from 10 to 50 million users. This variation is due to the fact that Google Play Market does not show the exact number of users of the application, but only reports the range in which it falls. The real number of users is likely to be larger, since in addition to the official repository, there are also unofficial ones.
From the data transmitted by this 41 applications, researchers managed to get billing data related to American Express, Diners Club, Paypal, various bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, WordPress, remotely controlled servers, passwords to postal services and IBM Sametime, etc.
In addition, the researchers managed to inject their own virus signatures into the antivirus software so that it considered arbitrary software as a virus or stopped detecting viruses altogether (the fact was that the antivirus accepted the anti-virus database update via a broken connection via SSL, which he mistakenly thought was reliable and did not check the integrity of the received update; the antivirus accepted updates that completely erased the signature database).
It also turned out to be remotely implemented and run the code in an application created using the application creation framework, which also found the specified vulnerability.
Worse, 378 (50.1%) of the 754 Android users polled online could not recognize whether the data is transmitted by the browser using SSL or not. 419 (55.6%) out of 754 did not see any warnings about an incorrect certificate and usually rated the risk they were warned about as medium or low. Among the users were also specialists in the field of IT (38.1% of respondents considered themselves experts in IT, and 23.2% dealt in the past with compromised accounts or other data for authentication.
Morale for the developer : BDI!
Morale for the user : do not use open wi-fi without a password where it can be avoided. If not avoided, use only very, very reliable and proven applications (perhaps, for me it means - only Gmail from Google).
Full text of the report
Another story, but about Trojan! FakeLookout.A for Android, with which the application was infected in the Google Play Market (Eng.)
Translation of a story about Trojan! FakeLookout.A with my small author comments .
In short, it turned out the following (hereinafter - the translation of the summary of the report):
results
1,074 applications out of 13,500 examined use SSL when sending personal data (logins, passwords, billing information, etc.), but at the same time either accept any certificates without verification, or any host names for certificates, and therefore may be vulnerable to attacks like man-in-the-middle (MITM).
')
41 applications out of 100 selected for more detailed manual testing turned out to be in fact vulnerable to such attacks due to incorrect work with SSL.
The total number of users who have these applications installed on smartphones for which the presence of vulnerabilities has been confirmed by testing - from 39.5 to 185 million people according to Google Play Market. Among these applications, there are three, each of which has from 10 to 50 million users. This variation is due to the fact that Google Play Market does not show the exact number of users of the application, but only reports the range in which it falls. The real number of users is likely to be larger, since in addition to the official repository, there are also unofficial ones.
From the data transmitted by this 41 applications, researchers managed to get billing data related to American Express, Diners Club, Paypal, various bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, WordPress, remotely controlled servers, passwords to postal services and IBM Sametime, etc.
In addition, the researchers managed to inject their own virus signatures into the antivirus software so that it considered arbitrary software as a virus or stopped detecting viruses altogether (the fact was that the antivirus accepted the anti-virus database update via a broken connection via SSL, which he mistakenly thought was reliable and did not check the integrity of the received update; the antivirus accepted updates that completely erased the signature database).
It also turned out to be remotely implemented and run the code in an application created using the application creation framework, which also found the specified vulnerability.
Worse, 378 (50.1%) of the 754 Android users polled online could not recognize whether the data is transmitted by the browser using SSL or not. 419 (55.6%) out of 754 did not see any warnings about an incorrect certificate and usually rated the risk they were warned about as medium or low. Among the users were also specialists in the field of IT (38.1% of respondents considered themselves experts in IT, and 23.2% dealt in the past with compromised accounts or other data for authentication.
Morale for the developer : BDI!
Morale for the user : do not use open wi-fi without a password where it can be avoided. If not avoided, use only very, very reliable and proven applications (perhaps, for me it means - only Gmail from Google).
For additional reading
Full text of the report
Another story, but about Trojan! FakeLookout.A for Android, with which the application was infected in the Google Play Market (Eng.)
Translation of a story about Trojan! FakeLookout.A with my small author comments .
Source: https://habr.com/ru/post/156327/
All Articles