There is a series of Android applications that fail to properly validate SSL certificates, exposing users to man-in-the-middle (MitM) attacks.
A new list just came out from the CERT Coordination Center at Carnegie Mellon University (CERT/CC) that exposes the weak applications.
The issue of Android apps failing to validate SSL certificates is not new. Researchers in Germany published a paper based on the analysis of 13,500 popular free applications with the aid of MalloDroid, a tool designed to detect broken SSL certificate validation in Android programs. The researchers warned at the time that 8 percent of the analyzed apps contained SSL/TLS code potentially vulnerable to MitM attacks, but CERT said the researchers didn’t actually alert the developers of what applications had the issues.
More recently, researchers at FireEye analyzed 1,000 of the most popular free apps offered on Google Play and found that 68 percent of them are vulnerable because they either don’t check server certificates, they ignore SSL errors in WebKit, or they don’t verify the hostnames of servers. The applications suffer from attacks because of vulnerable libraries, or they are inherently vulnerable. FireEye said it had notified developers, who took steps to secure their products, but CERT pointed out with the exception of a few cases, the security firm did not name the affected applications, or the alerted authors.
This is why CERT took the issue another step and performed wide-scale automated dynamic tests on the most popular Android apps by using a tool called CERT Tapioca. Tapioca is a network-layer MitM proxy VM based on UbuFuzz, preloaded with mitmproxy, and it can check for apps that fail to validate certificates, and investigate HTTP/HTTPS traffic.
In addition to verifying the apps, the organization said it will get in touch with the authors of every single application that fails the tests and provide them with information needed to address the vulnerabilities.
A spreadsheet containing the list of tested applications ended up published by CERT. The document, which will stay up to date with new information, contains names, tested versions, test results, CVE identifiers for the vulnerabilities, and other information.
CERT said while some might find it odd they have decided to publish the names of the impacted apps without giving developers time to address the vulnerabilities, this move gives an advantage to the users, not the attackers.
“If an attacker is interested in performing MITM attacks, they’re already doing it. That cat is already out of the bag. They’ve likely set up a rogue access point and are already capturing all of the traffic that passes through it,” CERT/CC vulnerability analyst Will Dormann said in a blog post.
“If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks.”