Some commonly used Android apps are susceptible to man-in-the-middleattacks in an ssl connection. Conclude that German researchers from their own research. Moreover, apps like Facebook and Gmail are susceptible to attacks over the valid, but incorrect ssl certificates.
The researchers mention not a single app in the name, but the three major apps with big security holes have between 30 and 150 million users, so mention the researchers of the Leibniz University in Hannover in their paper. The consequences can be far-reaching: through a man-in-the-middle attack, data can if Facebook logins, credit card information and the address book of the user are intercepted.
The gaps in the implementation of ssl; so check out some apps to ssl certificates, which also ssl certificates that the researchers are signed to be accepted. Ssl certificates only hear trusted to be as they are by a Certifcate Authority signed.
In addition to the holes in the ssl security also proved to be of little apps ‘ssl pinning’ support. With ssl pinning to accept the app only a by the developer approved certificate for ssl. This is possible because an app is often only with one or a few secure servers to communicate and, for example, a Dropbox app, a valid certificate for Gmail does not have to accept.
Due to the lack of ssl pinning remain apps susceptible as a man-in-the-middle attack is performed with a valid, but wrong certificate. This smaller security hole was exploited can be after a hack like that, at certificate authority Diginotar last year.
Only Twitter has the ssl-pinning, Facebook and all the apps from Google like Play Store and Gmail support that not. Also Dropbox, Foursquare and Hotmail have no support for ssl pinning. The security hole is smaller than the other, because, for example, browsers ssl pinning not be able to support: the user should then be able to log on to many different services.
In total bleaching of the 13,000 surveyed apps approximately 1000 a ssl vulnerability. Have the researchers one hundred manually examined further. There is rumored to be better security in Android 4.2, although there will be leaks in apps not be addressed. The researchers have their research focus on Android, because the investigation is then easier than on for example iOS or Windows Phone. In addition, run most of the smartphones currently on Googles mobile platform.