FireEye examines popular Google Play apps, 68 percent have SSL flaws

Share this article:
"Vulnerability impacting multiple versions of Android could enable device takeover"
The firm analyzed 1,000 free apps in Google Play which were most downloaded by users.

After analyzing the most downloaded free apps in Google Play, a security firm found that nearly 68 percent were impacted by secure sockets layer (SSL) vulnerabilities.

The SSL flaws, which could enable man-in-the-middle (MitM) attacks, leave Android users' data vulnerable to being intercepted, and even modified for malicious purposes, by a saboteur, FireEye researchers revealed Wednesday.

In a blog post, the firm said that 674 out of the 1,000 most-downloaded free apps in Google Play, contained at least one of three SSL bugs: those using trust managers that do not check certificates; those using hostname verifiers that did nothing; and apps ignoring SSL errors in Webkit.

Among the impacted apps, FireEye highlighted Camera360, which had been downloaded more than 250 million times by Android users.

The photo editing and sharing app was afflicted with an SSL issue where the app's trust managers failed to check server certificates, the post said.

In follow up email correspondence with SCMagazine.com, one of the post's authors Vishwanath Raman, a senior software engineer at FireEye, said that the Camera360 vulnerability was “the most egregious” as it could allow an attacker to “pretty much gain complete access to user data.”

Luckily, the developers of the app were responsive to researchers' concerns and released an update remediating the issue on July 29, FireEye revealed.

Through its research, the firm also found that many Google Play apps (including Camera360) were plagued with SSL flaws within ad libraries (which are used by applications). In his email to SCMagazine.com, Raman explained that ad libraries, used to display advertisements to app users, are often the “third-party libraries that have the farthest reach into applications."

“Some of the most popular ad libraries have addressed the vulnerabilities we report at this point, but then the onus appears to be on application developers to update their applications to use the latest versions of the ad libraries,” Raman said. “A large number of applications continue to use vulnerable versions of these libraries exposing the data exchanged between the libraries and their servers open to MitM exfiltration.”

Since Google has provided helpful best practices for securing app communication with web servers, developers must rise to the challenge of following up on these security issues, he continued. 

"Typically, though, application developers are not security experts and these are fairly complex issues that require a good understanding of the public key infrastructure and the way that it is realized on any given platform," Raman said. "We therefore expect to continue to find such vulnerabilities going forward using our capabilities."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.