SSL implementation flaws found in many Android apps
A study conducted by German researchers found that more than 1,000 out of 13,500 Android applications contained serious flaws in their SSL implementation, reports The Register.
These apps suffered from implementation flaws or lack of visual security indicators that could be exploited to launch Man-in-the-Middle attacks. This includes apps that provide insufficient feedback, or lazy implementation by developers, which essentially short-circuits the security features.
The article noted how malware developers can also exploit SSL. The paper noted: "We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely." The latter is cause for concern, though it is not clear how malware detection was disabled like this.
While SSL is generally considered to be secure, the problems of improper SSL implementation, which can render its inherent encryption useless or expose sensitive information, has long been known. In a report last year on how improper SSL implementations are widespread, a study conducted by Qualys found that only one-fifth of 250,000 SSL-enabled sites that were surveyed were properly redirecting users to SSL for authentication.
You can read the paper entitled, "Why Eve and Mallory love Android: An analysis of Android SSL (In)Security," here (pdf).
- see this article at The Register