Around 350 Android apps that can be downloaded from Google Play and Amazon stores fail to properly validate SSL certificates for HTTPS connections, and thus open users to Man-in-the-Middle attacks if they use them on insecure and open networks, a researcher with the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University warned.
The vulnerable apps have been discovered via automated testing using the CERT Tapioca testing appliance, and the researchers keep a list of these updated – among them are OKCupid’s official app, (ironically) a number of security apps, but most worryingly, a number of e-commerce (such as an eBay app for German users) and e-banking apps.
The list is not yet complete. The setup created by the researchers tests only one application at a time, and the testing started only a few weeks ago.
They chose to go public with this information before giving the vendors their usual 45 days to fix the issued because “if an attacker is interested in performing MITM attacks, they’re already doing it.”
“They’ve likely set up a rogue access point and are already capturing all of the traffic that passes through it. Further supporting this suspicion is the fact that the FTC has already filed charges against the authors of two mobile applications that fail to validate SSL certificates,” pointed out researcher Will Dormann.
“Knowing which specific applications are affected does not give any advantage to an attacker. If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks,” he explained the reasoning behind the disclosure.