|[December 16, 2013]
Fraunhofer SIT: Massive Security Issues with Apps
DARMSTADT, Germany --(Business Wire)--
Many popular Android apps pose significant security threats. This is the
conclusion reached by researchers at the Fraunhofer (News - Alert) Institute for Secure
Information Technology in Darmstadt, Germany (Fraunhofer SIT). By
exploiting weaknesses in the way the Secure Sockets Layer (SSL) protocol
is used, attackers can steal sensitive access data, e.g., user names and
passwords. Fraunhofer SIT informed over 30 affected app manufacturers;
so far 16 closed the security gap. Among those were Amazon, Yahoo,
Google (News - Alert), and Volkswagen Bank. A list of all apps with security updates
may be found at www.sit.fraunhofer.de/en/appsecuritylist.
Apps may pose a security risk (Photo: Business Wire)
The user's security risk depends on the specific app: With some apps
only personal photos might be at risk; with banking apps, access data
might be used for unauthorized money transfers. An especially grave risk
may occur if apps use the single-sign on services of Google or
Microsoft (News - Alert). In these cases access data is used for a variety of services,
like email and cloud storage.
The vulnerability is introduced by an incorrect use of SSL. SSL
cryptographically protects the connection between apps and servers. This
protection relies on so-called public-key certificates. When receiving a
certificate, apps are supposed to verify that it actually belongs to the
server they want to communicate with. The researchers found that in the
listed apps, this verification is not done correctly. "From a technical
perspective, this is a small mistake. But it can have a huge impact on
security," says Dr. Jens Heider from Fraunhofer SIT. For example, an
attacker just needs to manipulate the communication that takes place
while the victim is surfing via an unprotected WLAN, e.g., at an airport
or in a restaurant. It is in these situations that the SSL encryption is
supposed to ensure secure communication.
"In principle, the vulnerability is extremely easy to fix," says Heider.
He and his team already informed the manufacturers several weeks ago and
asked for the weakness to be remedied. The team has rechecked every new
update. "Users need to make sure they always update their apps to the
newest version," recommends Heider. The vulnerability was noticed during
the pilot phase of the new Fraunhofer SIT test framework "Appicaptor",
which automatically tests the security of apps. Fraunhofer SIT tested a
total of 2,000 Android (News - Alert) apps.
Photos/Multimedia Gallery Available: http://www.businesswire.com/multimedia/home/20131216006226/en/
[ InfoTech Spotlight's Homepage ]