The analysis was performed by the FireEye Mobile Security Team. They looked to see how many apps communicate with their servers via secure network protocols, and whether the apps that do have a correct implementation of the Android platform’s SSL libraries.
"Do they use trust managers that check certificate chains from remote servers? Does the hostname of the server extracted from the CA-issued certificate match the hostname of the server the application intends to connect to? Do the apps ignore SSL errors in WebKit (a component that renders server pages in mobile applications)?" they wanted to know.
The results were as follows: of the 1,000 tested apps, 614 applications use SSL/TLS, but 448 (around 73%) do not check certificates, 50 ( around 8%) use their own hostname verifiers that do not check hostnames, and of the 285 that use Webkit, 219 (around 77%) ignore SSL errors generated in it.
The numbers were a bit different when the researchers analyzed the top 10,000 most popular apps, but nevertheless bad.
"Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality," they explained the problem.
The team tested their findings by creating proof of concept MITM attacks against several of these popular apps and ad libraries they use, and found that some sported SSL vulnerabilities in both. Most of these apps have been downloaded several hundreds of times.
For more details about the case studies, as well as for best practice recommendations for application developer looking to secure their apps and keep their users safe, check out the blog post.
The researchers notified the developers of their findings. Some acknowledged the vulnerabilities and patched them in newer app and library versions, others have yet to respond.