University research paper picks apart Droid security
Android security is a common point of discussion, and it’s no different here as a university research paper has noted that certain Android apps leave users’ details out in the open.
The paper, jointly by Leibniz University of Hanover and Philipps University of Marburg which looked at “the inadequate use of SSL (secure socket layer) in Android apps”, found that 8% of the 13,500 most popular apps in the Google Play store failed to protect social media and bank account details.
Because Android differs from the walled garden approach of Apple, while app downloads and development is relatively unrestricted in Google Play, it can also create big security headaches.
The introduction to the research paper notes that due to inadequacies in SSL and TLS (transport layer security), Android systems can be subject to man-in-the-middle (MITM) attacks, whereby two users believe they are having a private conversation which is in reality controlled by the attacker.
The methodology revolved around a fake Wi-Fi spot and two artificial MITM attackers created by the researchers: Eve, a 'passive' attacker who could only eavesdrop on conversations; and Mallory, who had the ability to tamper with communications.
From 1074 potentially vulnerable apps spotted, a sample of 100 were hacked by the researchers and, of those, 41 were vulnerable to MITM attacks “due to various forms of SSL misuse”, according to the report.
Overall, the researchers managed to get data and credentials from American Express, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live and WordPress among others.
Another facet of the study revolved around a user survey of over 750 participants, which revealed a lack of understanding concerning secure connections.
Of those who defined themselves as non IT experts, 47.5% thought they were using a secure connection when infact the survey was served over basic HTTP and, more worryingly, 34.7% of those who claimed to have IT knowledge erroneously thought they were secure.
Android security has generated plenty of column inches over the months, with recent news that the latest iteration of Google Play will have a built-in malware detector coming as something of a boon.
Yet the researchers indicate in their conclusion that more studies are in the offing with the results they found, so watch this space.
- » Be aware, Play Store approval times will now take longer
- » DRM system Denuvo is coming to Android as ‘Mobile Game Protection’
- » Google will pay hackers to discover bugs in apps with over 100m installs
- » Apple’s September event developer updates: iOS 13, watchOS 6, Apple Arcade, and more