Security researchers from the Leibniz University of Hanover and the computer science department at the Philipps University of Marburg have tested 13,500 popular free Android apps and found that 8.0% of these apps contain SSL/TLS implementations that are vulnerable to Man-in-the-Middle (MITM) attacks.
The researchers created a tool called MalloDroid which is designed to detect potential vulnerabilities against MITM attacks. The tool performs static code analysis to analyze the networking API calls and extract valid HTTP(S) URLs, check the validity of the SSL certificates of all the extracted HTTPS hosts; and identify apps that contain non-default trust managers. Running the tool on the 13,500 samples showed that 1,074 of the apps exhibited some kind of potential vulnerability.
From this 1,074 app a further 100 apps were picked for manual audit to investigate different SSL problem including the accepting of all SSL certificates regardless of their validity. This manual audit revealed that 41 of the apps were vulnerable to MITM attacks due to SSL misuse.
A particularly embarrassing case the researchers found that the Zoner AntiVirus app updated its virus signatures via a broken SSL connection. As the developers considered the connection to be secure and couldn’t be tampered with there is no built-in verification or validation of the signature files downloaded. This meant that the team was able to insert its own signatures files. In one test they added the signature for the anti-virus app itself. The app then proceeded to recognize itself as malware and recommended that itself be to deleted. The Zoner AntiVirus app has been downloaded more than 500,000 times!
By the end of their research the team had managed to capture credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts.
The total cumulative number of installs of all the MITM vulnerable apps is between 39.5 and 185 million users, according to the download numbers from Google’s Play Store.