Android apps leaking users’ personal data, claims study

23 Oct 2012

Researchers in Germany have conducted a study of 13,500 free Android apps to determine potential security challenges, suggesting that encryption technology may not be enough to protect users’ personal data from being leaked.

Scientists from a computing and security group at Leibniz University of Hannover and from the Department of Maths and Computer Science at Philipps University of Marburg, Germany, examined 13,500 free apps that were downloaded from Google Play to see if such apps could be intercepted by man-in-the-middle (MITM) attacks, ie, when a scammer intercepts the user’s data before it reaches its target.

In their paper, the researchers found that 8pc, or 1,074, of the apps they examined contained SSL or TLS code that is potentially vulnerable to MITM attacks.

The researchers then carried out a manual audit of 100 apps and were able to launch MITM attacks against 41 apps, gleaning sensitive data in the process.

“From these 41 apps, we were able to capture credentials for American Express, Diners Club, PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote-control servers, arbitrary email accounts, and IBM Sametime, among others,” claimed the researchers.

During the study, the researchers said they were also able to remotely inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or to disable virus detection completely.

For their research, the scientists built a tool called MalloDroid to perform static code analysis. They are now planning to introduce a MalloDroid web app for Android users.

Apps image via Shutterstock

Carmel Doyle was a long-time reporter with Silicon Republic