Security researchers at the Leibniz University of Hanover have released a study showing that more than 1,000 legitimate Android apps, out of a sample of 13,500 popular apps from the Google Play market, contain inadequate SSL protections that could leave them vulnerable to Man-in-the-Middle attacks.
The apps in question contained SSL specific code that either accepts all certificates or all hostnames for a certificate. This meant that when running over a vulnerable local area network, such as a Wi-Fi hotspot, researchers were able to use certificates that were signed by themselves or by no longer valid authorities, instead of a valid certificate authority, authorizing a domain name other than the one the app was accessing.
When manually testing a subset of 100 apps, researchers were able to get valuable data out of 41 apps, from login details for online bank accounts, to email services and social media sites. They were even able to inject virus signatures into an antivirus app to detect other apps as a virus or disable detection.
The study didn't explicitly mention the vulnerable programs beyond saying that they have been downloaded from 39.5 and 185 million times, based on Google data. Three of them had an install base of 10 to 50 million.
Poor implementation of encryption protocols by app developers is to blame, so while the study didn’t test the security of apps available for Apple’s iOS or other platforms, some of them could be exposed to the same flaws if they are not discovered in the app approval process.