Conference Coverage

Browse Sections

BACKGROUND IMAGE: iSTOCK/GETTY IMAGES

This content is part of the Conference Coverage: RSA Conference 2015 special coverage: News, analysis and video
News Stay informed about the latest enterprise technology news and product updates.

Insecure SSL coding could lead to Android man-in-the-middle attacks

Researchers have found thousands of apps that feature insecure coding practices in implementing SSL protocols, which could lead to Android man-in-the-middle attacks.

SAN FRANCISCO -- Researchers at the 2015 RSA Conference (RSAC) have detailed SSL and TLS vulnerabilities that affect...

tens of thousands of Android apps, and the potential risks that enterprises face because of them.

Two separate sessions at RSAC dealt with the topic, which is that developers have been improperly implementing security checks with SSL protocols that could lead to man-in-the-middle (MitM) attacks.

The proof is in the Tapioca

Will Dormann, vulnerabiltity analyst with the CERT division of the Carnegie Mellon University's Software Engineering Institute in Pittsburgh, also presented data at a session during RSA. Dormann's data was collected by CERT Tapioca, which is an automated tool that has found nearly 24,000 Android apps with these vulnerabilities.

Adrian Mettler, staff engineer, and Yulong Zhang, senior software research engineer at the security vendor FireEye Inc. in Milpitas, Calif., presented research detailing exactly how developers were making mistakes that led to these vulnerabilities. The duo focused on free Android apps with over 1 million downloads, which amounted to just over 11,000 apps as of the beginning of April, and found that vulnerabilities were caused by apps not properly checking that SSL certificates were sent by or signed by the correct parties.

Mettler and Zhang found that 42% of apps that used SSL trust managers either accepted all certificates or accepted unsafe certificates. Additionally, more than 95% of apps were found to not check hostnames, which could lead to an Android man-in-the-middle attack.

Malicious data injection the real worry

Mettler said that these vulnerabilities wouldn't worry enterprises too much if devices with affected apps stayed on the corporate network, because it is unlikely that MitM attackers would be there; the risks for employees comes once they go off-premises. He said that the main risk of an Android man-in-the-middle attack would be intercepting sentitive data, which could be stolen from HTTP or HTTPS traffic -- but there's another risk beyond that.

"What's perhaps more worrying is that malicious data could be injected over that connection. It's not super common, but it's not uncommon for apps to actually download code and run it on Android," Mettler said. "This would be a relatively sophisticated and difficult attack to pull off, but it's technically possible. It's not only data exposure, but that it could lead to a malware infection on the device, and then attackers could get access to other types of things."

Mettler suggested that enterprises check apps used on employee devices. This could be done using Tapioca, which Dormann said CERT has made available to enterprises in order to check applications for the SSL vulnerabilities. If vulnerable apps are found, companies are urged to send reports to CERT, who will then take up the task of contacting developers to request patches.

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

What steps does your enterprise take to prevent Android man-in-the-middle attacks?
Cancel
Thanks for this post. Looks like something we need to something about the issues mentioned and interesting insights shared. 

As of now, I'm not sure if we are really bothered about it at my workplace but I can at-least bring it to peoples' attention.
Cancel
It’s not really surprising, given that there are so many companies releasing so many different apps and trying to beat the competition to market. I've seen where many companies use one of the popular crowd-sourcing testing services available to perform much of the app testing. While these services do find bugs (and plenty of them) they are typically the happy path, obvious bugs that a standard user would find as opposed to more involved, technical issues, such as where SSL trust manager accept all certificates, accept unsafe certificates or other issues that result in these types of vulnerabilities.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close