After analyzing the most downloaded free apps in Google Play, a security firm found that nearly 68 percent were impacted by secure sockets layer (SSL) vulnerabilities.
The SSL flaws, which could enable man-in-the-middle (MitM) attacks, leave Android users' data vulnerable to being intercepted, and even modified for malicious purposes, by a saboteur, FireEye researchers revealed Wednesday.
In a blog post, the firm said that 674 out of the 1,000 most-downloaded free apps in Google Play, contained at least one of three SSL bugs: those using trust managers that do not check certificates; those using hostname verifiers that did nothing; and apps ignoring SSL errors in Webkit.
Among the impacted apps, FireEye highlighted Camera360, which had been downloaded more than 250 million times by Android users.
The photo editing and sharing app was afflicted with an SSL issue where the app's trust managers failed to check server certificates, the post said.
In follow up email correspondence with SCMagazine.com, one of the post's authors Vishwanath Raman, a senior software engineer at FireEye, said that the Camera360 vulnerability was “the most egregious” as it could allow an attacker to “pretty much gain complete access to user data.”
Luckily, the developers of the app were responsive to researchers' concerns and released an update remediating the issue on July 29, FireEye revealed.
Through its research, the firm also found that many Google Play apps (including Camera360) were plagued with SSL flaws within ad libraries (which are used by applications). In his email to SCMagazine.com, Raman explained that ad libraries, used to display advertisements to app users, are often the “third-party libraries that have the farthest reach into applications."
“Some of the most popular ad libraries have addressed the vulnerabilities we report at this point, but then the onus appears to be on application developers to update their applications to use the latest versions of the ad libraries,” Raman said. “A large number of applications continue to use vulnerable versions of these libraries exposing the data exchanged between the libraries and their servers open to MitM exfiltration.”
Since Google has provided helpful best practices for securing app communication with web servers, developers must rise to the challenge of following up on these security issues, he continued.
"Typically, though, application developers are not security experts and these are fairly complex issues that require a good understanding of the public key infrastructure and the way that it is realized on any given platform," Raman said. "We therefore expect to continue to find such vulnerabilities going forward using our capabilities."