When recently-appointed president of RSA, Amit Yoran, opened his company’s flagship conference yesterday, he warned the security industry was living in the dark ages. Protections just aren’t working, he said. Various anti-virus firms, including big names like Kaspersky and Webroot, have offered proof that the market’s many players get it wrong; they’re on a list of companies whose Google Play Android apps don’t do proper encryption checks, according to research from the Computer Emergency Response Team (CERT) at Carnegie Mellon’s Software Engineering Institute.
The CERT discovered a whopping 22,000 apps that weren’t carrying out “SSL validation”, where the software is supposed to check certificates over encrypted communications to ensure the parties involved are verified. Kaspersky’s Internet Security app and Webroot’s free offering and its “complete” tool (an apt name, perhaps?) both failed to carry out these checks, meaning an attacker sitting on the same network as a target user could, in theory, spoof those services and collect data the victim hands over to the fake application. That could be credit card data, especially where in-app purchases are taking place, as in both Kaspersky and Webroot anti-virus, or usernames and passwords. Users would understandably assume that apps using encryption were safe, so would likely be oblivious to such “man-in-the-middle” attacks.
This kind of vulnerability affects a significant number of people. Kaspersky’s app, for example, has at least 10 million users, whilst Webroot’s software has as many as 5 million. Other hugely popular security applications, including NQ Mobile Security & Antivirus, with 30 million users, and AMC Security, with as many as 10 million customers, were also flawed, according to CERT.
None of the aforementioned security companies had responded to requests for comment.
CERT vulnerability analyst Will Dormann told FORBES that by default this kind of SSL validation was switched on by Google, so developers had to willingly turn it off. Dormann believes this could be a hangover from the testing phase of app development, where coders remove validation checks to make the process smoother, or by lazy coders who adopt open sourced software without analysing its security.
Dormann created a spreadsheet showing which 22,000 apps fail to do this basic checking. His open source Tapioca project, which consisted of a proxy that downloaded and then tested 1 million Android apps on Google Play, included a module that scraped the contact email for all developers who had removed validation and sent them a warning. But only 0.1 per cent of developers responded, Dormann said.
Snapchat was also on his list, but the messaging provider, valued at $19 billion, told FORBES it closed off the vulnerability in December. The problem lay in the Flurry analytics library used by Snapchat, meaning messages couldn’t have been compromised by any man-in-the-middle exploiting the flaw.
Security startup NowSecure also pushed out research today at RSA claiming 48 per cent of Android apps had at least one high-risk security or privacy flaw. Its study indicated 10 per cent of all apps with improperly validated SSL were finance, social, travel or shopping apps. “Successful apps are more about usability than security,” noted NowSecure CEO Andrew Hoog. “We’re finding flaws affecting billions of people… the majority of our disclosures are ignored [and] we need to turn that around. We disclose these for free and are either ignored or met with attorneys.”
Chris Wyospal, co-founder and CTO of app vetting firm Veracode, said failed SSL validation was the most common problem his company found across Android applications too.
Whilst security companies have repeatedly pointed to various vulnerabilities in Android apps, Google has been talking down the threat facing its mobile operating system at the RSA Conference this week. Adrian Ludwig, lead engineer on Android security at Google, said the rate of installs of “potentially harmful applications” (Google refuses to use the nebulous term “malware”) reduced 50 per cent in 2014, whilst spyware installs fell 90 per cent.
But Domann’s research would indicate over-the-network attacks are something to worry about. And he didn’t have time to inspect paid-for Google Play software, meaning the 22,000 vulnerable apps represent just half the story.
This article was written by Thomas Fox-Brewster from Forbes and was legally licensed through the NewsCred publisher network.