Many popular Android apps, including some apps from banks, publishers, and other large organizations, pose significant security threats. This is the conclusion reached by researchers at the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany (Fraunhofer SIT). By exploiting weaknesses in the way the well-known SSL security protocol is used, attackers can steal sensitive access data, e.g., user names and passwords. Fraunhofer SIT informed over 30 app manufacturers that were affected; so far 16 have reacted and closed the security gap. Among those were Amazon, Yahoo, Google, and Volkswagen Bank. A list of the apps that have security updates available can be found here.

The security risk for the user depends on the intended use of the vulnerable app: With some apps only photos are subject to potential manipulation; however, in the case of a banking app, access data could be used for unauthorized transfers or other bank account manipulations. An especially grave risk may occur if apps use the single-sign on services of Google or Microsoft. In these cases access data is used for a variety of services, like email, cloud storage, and instant-messaging.

The vulnerability is introduced by an incorrect use of the Secure Socket Layer protocol (SSL). SSL cryptographically protects the connection between apps and servers. This protection relies on so-called public-key certificates. When receiving such a certificate, apps are supposed to verify that it actually belongs to the server they want to communicate with. The researchers at Fraunhofer SIT found that in the listed apps, this verification is not done correctly. “From a technical perspective, this is a small mistake. But it can have a huge impact on security,” says Dr. Jens Heider from Fraunhofer SIT. For example, attackers only need to manipulate the communication that takes place while surfing via WLAN in order to acquire the access data. This is especially easy anywhere WLAN communication is not encrypted, for example at many public access points, like airports, hotels, and restaurants. It is in these situations that the SSL encryption is supposed to ensure secure communication.

“In principle, the vulnerability is extremely easy to fix,” says Heider. He and his team already informed the manufacturers several weeks ago and asked for the weakness to be remedied. Some manufacturers have reacted quickly; Volkswagen Bank even made a security update available within one day. The test team has rechecked every new update. “Users need to make sure they always update their apps to the newest version,” recommends Heider. On the whole, the Fraunhofer SIT experts recommend using apps carefully in public WLAN areas. The vulnerability was noticed during the pilot phase of the new Fraunhofer SIT test framework “Appicaptor,” which automatically tests the security of apps. The Fraunhofer experts tested a total of 2,000 Android apps.