Hundreds of Android applications are vulnerable to man-in-the-middle (MitM) attacks due to their failure to properly validate X.509 SSL certificates, according to the Carnegie Mellon University CERT.
In March, the US Federal Trade Commission (FTC) settled charges with Fandango and Credit Karma companies, who failed to properly implement the SSL protocol and exposed sensitive information.
“An attacker on the same network as the Android device may be able to view or modify network traffic that should have been protected by HTTPS,” said Will Dormann, a CERT vulnerability analyst. “The impact varies based on what the application is doing [â€¦] outcomes include credential stealing or arbitrary code execution.”
Android applications that use the SSL protocol to communicate with one or more servers automatically check the certificates to see if the server really is the one it claims to be.
During the verification flow, the application checks at first the certificates’ subject or common name and the URLs. The certificate Authority, signature and expiry date are also checked during the basic verification flow.
So far, researchers have found more than 400 vulnerable Android applications that could allow a man-in-the-middle attack. More are still to come, as the vulnerability spreadsheet hosted on Google Docs is constantly being updated with new vulnerable applications.
Android store vendors such as Google or Amazon have been notified with full details on the vulnerability and were advised to perform the same tests alongside suitability testing for store inclusion.