End users’ social networking and banking credentials, instant messaging and email contents are at risk because there are 41 applications in Google Play that can transmit sensitive data as Play travelled on mobiles running the operating system Ice Cream Sandwich and webservers for online services and banks. The researchers tried to connect the devices in a local network and used commonly known exploits to bypass the security protection of secure sockets layer and transport layer security protocols currently being used by the apps. The paper did not name the programs on Play although it did note that they have been downloaded in the range between 39.5 million up to 185 million times, according to statistics from Google.
Researchers from Germany’s Philipps University of Marburg and Leibniz University of Hannover said: “We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.” The paper also mentioned that other exposed data includes contents of instant messages and emails.
Google has not commented on the new security threat in its digital store. The paper has not hinted the apps were made by Google employees although the researches did mention that Google can take their level of security higher by implementing the encryption in a more secure manner.
While the findings strike Google Play’s vulnerability, they also show the unreliability of TLS and SSL protocols, both of which form the basis of the encryption between users and websites today. The paper, presented during the Computer and Communications Security conference, also shows one critical point of failure by app developers to secure their products. Security is not the top priority of app developers most of the time.
Some samples of vulnerabilities discovered by the research are the following:
- One antivirus app accepted invalid certificates when trying to validate the connection giving the new malware signatures. The researchers exploited the said trust allowing them to inject to the app their own malicious signature.
- Another app leaked login credentials due to “broken SSL Channel”. This app claims to have a download base of 1 million to 5 million users. It allows convenient uploading and downloading of cloud based data.
- A “very popular cross-platform messaging service” downloaded between 10 million to 50 million times leaked telephone numbers from its address book.
While the paper aimed to highlight the vulnerabilities, it also provided ways to improve SSL protection on devices running Android operating system. One of the suggestions is the so-called certificate pinning, making it a lot harder for an app or a browser program to be fed with malicious certificates like the ones used in the research. The researchers also urged Google engineers to find new ways of identifying if the connection provided by different apps is encrypted. Rumors have surfaced that Google may be providing Android phones with a malware scanner.