Industry News

Hundreds of Android Applications Risk Eavesdropping Due to Lapse in Validating X.509 SSL Certificates

Hundreds of Android applications are vulnerable to man-in-the-middle (MitM) attacks due to their failure to properly validate X.509 SSL certificates, according to the Carnegie Mellon University CERT.

In March, the US Federal Trade Commission (FTC) settled charges with Fandango and Credit Karma companies, who failed to properly implement the SSL protocol and exposed sensitive information.

“An attacker on the same network as the Android device may be able to view or modify network traffic that should have been protected by HTTPS,” said Will Dormann, a CERT vulnerability analyst. “The impact varies based on what the application is doing […] outcomes include credential stealing or arbitrary code execution.”

Android applications that use the SSL protocol to communicate with one or more servers automatically check the certificates to see if the server really is the one it claims to be.

During the verification flow, the application checks at first the certificates’ subject or common name and the URLs. The certificate Authority, signature and expiry date are also checked during the basic verification flow.

So far, researchers have found more than 400 vulnerable Android applications that could allow a man-in-the-middle attack. More are still to come, as the vulnerability spreadsheet hosted on Google Docs is constantly being updated with new vulnerable applications.

Android store vendors such as Google or Amazon have been notified with full details on the vulnerability and were advised to perform the same tests alongside suitability testing for store inclusion.

About the author

Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited. Besides digging for 'hacker' scoops and data leaks, he enjoys sports, such as football and tennis.
He has also combined an interest for social and political sciences, as a graduate of the Political Science Faculty, with a passion for guitar and computer games.