According to the researchers from Germany’s Leibniz University of Hannover and Philips University of Marburg, Android apps which the security experts failed to properly test are now opening the OS up to malware. They have found out that over 40 apps in Google’s Play Market leak personal details while travelling between handsets that run Android and webservers for banks and other online services.
When you connect Android devices to a local area network which used a wide range of well-known exploits, some of which are found on the Internet, it is very easy to defeat the security protocols used by the above mentioned applications. All of them are quite popular and have been downloaded from up to 185 million times, which means that there is an outstanding number of vulnerable Android devices out there.
According to the researchers, they managed to collect bank account data, payment credentials for PayPal, American Express and so on. In addition, Facebook, email and cloud storage credentials and messages also easily leaked. Moreover, it took almost no time to access the IP cameras! Another reason for the devices to become vulnerable is the fragility of both the SSL and TLS protocols which built the basis for encryption between websites and users.
Although the technology itself is quite secure, its protection is undermined when certificate authorities fail to secure their infrastructure. In frames of the experiment, the researchers downloaded 13,500 free applications from Google Play in order to find out whether their SSL implementations were vulnerable to the exploits. In result, it turned out that 8% of the sample (more than one thousand applications) contained SSL code and therefore were potentially vulnerable to the attacks. Out of those apps, a hundred was picked by the researchers to crack. 41% of them appeared really vulnerable.
Surprisingly enough, the researchers didn’t compare the results with Apple apps. Instead, the researchers admitted that it was due to the openness of the Google platform that they could perform static analysis of vulnerability, while it’s hard to do the same for Apple software. Anyway, it might appear that the vulnerability to applications is universal for the pocket devices in general. In this case, the companies would have to prohibit do-it-yourself policies on that basis.
When you connect Android devices to a local area network which used a wide range of well-known exploits, some of which are found on the Internet, it is very easy to defeat the security protocols used by the above mentioned applications. All of them are quite popular and have been downloaded from up to 185 million times, which means that there is an outstanding number of vulnerable Android devices out there.
According to the researchers, they managed to collect bank account data, payment credentials for PayPal, American Express and so on. In addition, Facebook, email and cloud storage credentials and messages also easily leaked. Moreover, it took almost no time to access the IP cameras! Another reason for the devices to become vulnerable is the fragility of both the SSL and TLS protocols which built the basis for encryption between websites and users.
Although the technology itself is quite secure, its protection is undermined when certificate authorities fail to secure their infrastructure. In frames of the experiment, the researchers downloaded 13,500 free applications from Google Play in order to find out whether their SSL implementations were vulnerable to the exploits. In result, it turned out that 8% of the sample (more than one thousand applications) contained SSL code and therefore were potentially vulnerable to the attacks. Out of those apps, a hundred was picked by the researchers to crack. 41% of them appeared really vulnerable.
Surprisingly enough, the researchers didn’t compare the results with Apple apps. Instead, the researchers admitted that it was due to the openness of the Google platform that they could perform static analysis of vulnerability, while it’s hard to do the same for Apple software. Anyway, it might appear that the vulnerability to applications is universal for the pocket devices in general. In this case, the companies would have to prohibit do-it-yourself policies on that basis.
No comments:
Post a Comment