SAN FRANCISCO -- Researchers at the 2015 RSA Conference (RSAC) have detailed SSL and TLS vulnerabilities that affect...
tens of thousands of Android apps, and the potential risks that enterprises face because of them.
Two separate sessions at RSAC dealt with the topic, which is that developers have been improperly implementing security checks with SSL protocols that could lead to man-in-the-middle (MitM) attacks.
The proof is in the Tapioca
Will Dormann, vulnerabiltity analyst with the CERT division of the Carnegie Mellon University's Software Engineering Institute in Pittsburgh, also presented data at a session during RSA. Dormann's data was collected by CERT Tapioca, which is an automated tool that has found nearly 24,000 Android apps with these vulnerabilities.
Adrian Mettler, staff engineer, and Yulong Zhang, senior software research engineer at the security vendor FireEye Inc. in Milpitas, Calif., presented research detailing exactly how developers were making mistakes that led to these vulnerabilities. The duo focused on free Android apps with over 1 million downloads, which amounted to just over 11,000 apps as of the beginning of April, and found that vulnerabilities were caused by apps not properly checking that SSL certificates were sent by or signed by the correct parties.
Mettler and Zhang found that 42% of apps that used SSL trust managers either accepted all certificates or accepted unsafe certificates. Additionally, more than 95% of apps were found to not check hostnames, which could lead to an Android man-in-the-middle attack.
Malicious data injection the real worry
Mettler said that these vulnerabilities wouldn't worry enterprises too much if devices with affected apps stayed on the corporate network, because it is unlikely that MitM attackers would be there; the risks for employees comes once they go off-premises. He said that the main risk of an Android man-in-the-middle attack would be intercepting sentitive data, which could be stolen from HTTP or HTTPS traffic -- but there's another risk beyond that.
"What's perhaps more worrying is that malicious data could be injected over that connection. It's not super common, but it's not uncommon for apps to actually download code and run it on Android," Mettler said. "This would be a relatively sophisticated and difficult attack to pull off, but it's technically possible. It's not only data exposure, but that it could lead to a malware infection on the device, and then attackers could get access to other types of things."
Mettler suggested that enterprises check apps used on employee devices. This could be done using Tapioca, which Dormann said CERT has made available to enterprises in order to check applications for the SSL vulnerabilities. If vulnerable apps are found, companies are urged to send reports to CERT, who will then take up the task of contacting developers to request patches.