Yet another study has concluded that code used in a small number of Android apps are vulnerable to leaking personal user data. According to security researchers at the Leibniz University of Hanover in Germany, about eight percent of Android applications in the Google Play store improperly respond to attacks on Secure Sockets Layer and Transport Layer Security. Fortunately, the researchers said they haven’t found any instances of anyone deliberately exploiting the vulnerability.
The researchers used a Man-In-the-Middle attack, which is executed when a third party, “inserts itself into a connection between two devices while maintaining the illusion that they are only communicating with each other,” CNET explained. “All the while, the hacker is capturing the data.”
If someone were to exploit the vulnerability, one could easily gain access to credentials such as bank and social media accounts. To give context to the situation, the researchers said 41 out of 100 apps studied were confirmed to contain vulnerabilities. Those apps, by the way, have an install base between 39.5 million and 185 million users. Three of those applications alone have a range of 10 million to 50 million users.
Possible solutions include improving permissions and policies — not allowing developers to dictate methods for handling SSL or TLS — and having Google screen for SSL/TLS code vulnerabilities before clearing them for consumer availability. Small, but certainly for important solutions.