Popular android apps leaking private passwords, Credit card data

[Apollo 13]

Here’s some bad news for Android users: Researchers have uncovered 41 Android apps in the Google Play store that are leaking sensitive data, ranging from credit card information and email content to social networking site passwords, new research suggests.

Researchers at Leibniz University of Hannover and Philipps University of Marburg in Germany have released findings that indicate various Android apps currently available for download are subject to major encryption issues. (Note: The study was only conducted among Android apps, but app security issues are likely to pop up on other platforms, as well).

The team used a Samsung Galaxy Nexus smartphone operating on Android 4.0 Ice Cream Sandwich to conduct testing and began the study by downloading 13,500 free apps. About 1,074 apps — or 8% of the sample — contained code that was potentially vulnerable to man-in-the-middle (MITM) attacks, which allows a cybercriminal to intercept a message or data that is assumed to be private and secure.

The team did a manual audit of 100 of those apps and was able to successfully launch attacks against 41.

SEE ALSO: 10 Spooky Cyberattacks in 2012 [INFOGRAPHIC]
“Of the 100 apps selected for manual audit, 41 apps proved to have exploitable vulnerabilities,” the researchers said. “We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.”

After retrieving the information, the team said they were “able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”

Although the researchers didn’t name the apps, they provided some details on certain services. For example, they “successfully attacked a very popular cross-platform messaging service” — which has a user base between 10 and 50 million users — and was able to obtain telephone numbers from users’ address books.

Also at risk is an app for a popular Web 2.0 site with an install base of 500,000 to 1 million users.

“When using a Facebook or Google account for login, the app initiates OAuth login sequences and leaks Facebook or Google login credentials,” the research said.

Google declined to comment on the study.

http://mashable.com/2012/10/22/android-apps-leaking-security-data/

another link on the subject http://www.bbc.co.uk/news/technology-20025973

 

[xuselppa]

http://mashable.com/2012/10/22/android-apps-leaking-security-data/

another link on the subject http://www.bbc.co.uk/news/technology-20025973

Well, I guess it is a good thing I am not using their fake Wi-Fi hotspot:

By creating a fake wi-fi hotspot and using a specially created attack tool to spy on the data the apps sent via that route, the researchers were able to...

 

[matttye]

Well, I guess it is a good thing I am not using their fake Wi-Fi hotspot:

That's what "man in the middle" attacks are and demonstrates that any publicly accessible wifi network could be used to steal data.

There was actually a book I read where somebody stole information from people using a wifi network in his cafe and then used sensitive information to blackmail people. Fiction, but entirely possible

 

[xuselppa]

That's what "man in the middle" attacks are and demonstrates that any publicly accessible wifi network could be used to steal data.

There was actually a book I read where somebody stole information from people using a wifi network in his cafe and then used sensitive information to blackmail people. Fiction, but entirely possible

yep, and if an iPhone user uses the same public Wi-Fi network, they are just as vulnerable. anyone that uses a public Wi-Fi without precautions are begging for a virus.

 

[matttye]

yep, and if an iPhone user uses the same public Wi-Fi network, they are just as vulnerable. anyone that uses a public Wi-Fi without precautions are begging for a virus.

Where can I find the results of your study? Or are you just taking a wild guess?

 

[Stuntman06]

Where can I find the results of your study? Or are you just taking a wild guess?

Here is an older article regarding man-in-the-middle attacks agains all smartphones: http://www.zdnet.com/blog/security/man-in-the-middle-attacks-demoed-on-4-smartphones/4922

I haven't found anything more recent. The recent article mentioned by the OP is about Android phones and these attacks focused specifically on Android. There is no mention of whether any other type of smartphones were researched.