

Android apps used by millions vulnerable to password, e-mail theft - lawlypop
http://arstechnica.com/security/2012/10/android-apps-expose-passwords-e-mail-and-more/

======
CaveTech
Sadly not too many details are published. Wouldn't be surprised if the main
vulnerability was caused by applications blindly trusting any certificate -
which happens to be a fairly common design pattern when dealing with Android.
Sadly, a lot of popular signing authorities are not trusted by default in some
versions of Android, and it isn't an easy task to get a user to add others.

There's several apps I've used where I've had no choice except to trust all
authorities. I know the dangers of this, but I doubt most Android users do.

~~~
ge0rg
Indeed. To add insult to injury, Java's handling of SSL trust verification is
a complex beast that is hard to get right.

To mitigate the problem at least a little, you have to jump through hoops.
<shamelessplug>I had to write my own (MIT licensed) lib to allow for SSH-style
"ask on first use" behavior, which I needed for an XMPP client:
<https://github.com/ge0rg/memorizingtrustmanager> </shamelessplug>

------
samstokes
tl;dr: 8% of the top 13k apps don't verify SSL certificates.

 _The scientists began their research by downloading 13,500 free apps from
Google Play and subjecting them to a "static analysis." Those tests checked
whether the SSL implementations of the apps were potentially vulnerable to
"man-in-the-middle" exploits, in which attackers are able to monitor or tamper
with communications flowing over public Wi-Fi hotspots or other unsecured
networks. The results identified 1,074 apps, or eight percent of the sample,
that contained "SSL specific code that either accepts all certificates or all
hostnames for a certificate and thus are potentially vulnerable to MITM
attacks."_

<snip>

 _The paper made no attempt to measure the security provided by apps available
for Apple's competing iOS platform. One possible reason the researchers
focused on Android apps exclusively is that the openness of the Google
platform made it easier to perform static analysis. That, in turn, made it
possible to zero in on the apps with SSL implementations that exposed
sensitive user data. It would be interesting to see the results of a similar
analysis performed on the 13,000 most popular iPhone apps._

------
sturmeh
> A "very popular cross-platform messaging service" with an install base of 10
> million to 50 million users exposed telephone numbers from the address book.

WhatsApp would that be?

~~~
mike-cardwell
Possibly. When I originally looked at Kik Messenger back in November 2010, it
wasn't using SSL for anything. Even passwords were going over the wire in the
clear. In March 2011 they added SSL functionality, but it didn't do any
certificate verification. A few months later in June they added appropriate
certificate verification. I wrote a small Perl script at the time as a POC
which would automatically add signatures to peoples outgoing Kik messages if
they were using your network. It even worked with the SSL version of Kik
before they added cert verification -
[https://grepular.com/Advertise_Your_Wifi_in_Your_Customers_K...](https://grepular.com/Advertise_Your_Wifi_in_Your_Customers_Kik_Messages)

~~~
sturmeh
I'm sure quite a few apps do it, I know WhatsApp does it for certain.

MITM your phone and watch the traffic, your entire contact list gets sent
through every time you open the application.

------
raverbashing
Why am I not surprised it's an "anti-virus"

AV software == snake oil

If your system 'needs' an Anti-virus change the way you use it or change it.

------
avel
From the examples: " A "very popular cross-platform messaging service" with an
install base of 10 million to 50 million users exposed telephone numbers from
the address book."

This app is surely WhatsApp. There was a thread in hackernews about it not
using SSL.

