Irrespective of Google’s efforts to make the Android mobile operating system secure, a new research has found that a large number of Android applications are prone to attacks from hackers which may compromise crucial information of users including their login, banking and other data.
Researchers at Leibniz University (Hannover) and Philipps University (Marburg) published a paper about on the Android Secured Socket Layer (SSL) Security in the applications. According to this research paper, several Android Apps carry weaker SSL certificate implementation and potentially vulnerable to expose the personal details – login credentials, password and other information.
With security requirement getting more stringent, the security layer protocols keep updating at least once in a decade. Google Android based applications use security protocols for communicating the login information and other personal data fed by the user to the servers. Several Android apps use Secured Socket Layer or Transport Layer Security for enabling the transport of the crucial data during the communication between client (app) and server.
The research paper concluded that over 1000 Android Apps are vulnerable to the man-in-the-middle attacks, i.e. hijacking crucial information while it is being communicated to the servers. The researchers also found that 41 applications existing in the Google Play Store are leaking out such important data such as banking details, login details and other important data.
Researchers from Leibniz University of Hannover and Philipps University of Marburg stated, “We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.” Other exposed data included the contents of e-mails and instant messages.
The majority of such vulnerable apps were developed by third party developers rather than the original website or service providers. While the security researchers suggest Google to use better alert system to inform the user when connection is not encrypted, users are required to manually check and remove apps that are likely to such vulnerability.
Earlier this year, Google has introduced a new automated malware scanning service Bouncer that scans the Play Store and also requires the app to pass through the approval process. With the next Android 4.2 update, Google is expected to implement a new App Check feature that will scan every application and media downloaded from the Google Play Store for potential malware or other threats.