I don’t think it’s ever been a secret that most mobile apps are insecure. And finally, someone went around quantifying that presumption. If you develop web apps, or if you make in-app payments or make use of cloud services containing important data, you should read this.
Here’s hoping that ‘mobile development’ stops being an excuse for poorly developed, insecure products.
Reshared post from +EuroTech
Security Alert: Many Android Apps Leak Passwords And Credit Card Data
by , ; Germany
Security researchers at the Leibniz University of Hannover and the Philipps University of Marburg in Germany have released the results  of a study that indicate a number of popular Android apps are subject to serious security flaws based on inadequate use of SSL.
The analysis of the 13,500 most popular free apps from the Google Play Market has shown that 1,074 apps contain code vulnerable to Man-In-The-Middle Attacks (MITM) targeting flaws in SSL implementations. These 1,074 apps represent 17.0% of the apps that contain HTTPS URLs. To evaluate the real threat the potential vulnerabilities, the researchers manually mounted MITM attacks against 100 selected apps from that set, connected to a WiFi access point with a MITM SSL proxy. The attack vectors were an SSL proxy, either with a self-signed certificate or with one that was signed by a trusted CA, but for an unrelated hostname. Of the 100 apps selected for the manual audit, 41 apps proved to have exploitable vulnerabilities.
What’s at stake?
The attacks were able to return bank account information, payment credentials for PayPal, American Express, Twitter, Google, Yahoo, Microsoft Live ID, and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained, and control channels for apps and remote servers could be subverted. The cumulative number of installs of apps in the test set of 100 apps with confirmed vulnerabilities against MITM attacks is between 39.5 and 185 million users, according to Google’s Play Market.
The researchers succesfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself. It was possible to remotely inject and execute code in an app created by a vulnerable app-building framework.
What to do?
As a stop-gap measure, the team is going to offer the “MalloDroid” tool, that was written and used to detect the vulnerabilities, as a Web app. This will allow interested users to perform checks on apps before they install them.
The paper recommends that OS and app developers enforce certificate checking, use HTTPS everywhere and improve permissions and policies, as well as simple visual feedback regarding the security status of a given transaction.
And my iPhone?
The study was conducted among Android apps, using a Samsung Galaxy Nexus smartphone with Android 4.0 Ice Cream Sandwich, but app security issues are likely to pop up on other platforms, as well.