Research: Android smartphone apps leave user data open to attack
Failure by thousands of apps to encrypt data or use secure channels leaves banking and email logins vulnerable to spyware.
Android users are at risk of exposing personal information to third parties as thousands of apps fail to encrypt data in transit, research shows.
The investigation, carried out by German researchers at the University of Hannover and Philips University of Marburg, found that almost 8 per cent of apps did not protect bank account and social media logins.
The failure of these apps, which were among the 13,500 most popular free apps on the Google Play Market, to encrypt user data leaves them open to so-called ‘man-in-the-middle’ (MITM) attacks.
These allow attackers to intercept messages sent and received by the app over the internet and, in some cases, alter them.
37 per cent of IT pros thought they were using a secure connection when they were not.
The research was conducted using a specially created wi-fi hotspot and two MITM attackers – Eve, which passively monitors data in transit, and Mallory, which can tamper with communications.
These tools allowed researchers to capture login details for services such as online bank accounts and corporate networks. Researchers could also disable security programmes or fool them into labelling secure apps as infected.
It was even possible for an attacker to re-direct a request to transfer funds, while making it appear the transaction was proceeding unchanged.
Another area for concern was a lack of knowledge amongst consumers.
Almost half of non-IT experts surveyed by the researchers said they were using a secure connection, when they were using normal HTTP. Even those with prior IT training (34.7 per cent) made the same mistake.
The researchers proposed several ways for end users to protect themselves.
These include solutions that are integrated into the Android OS, such as enforced certificate checking and HTTPS everywhere. Marketplace offerings, such as using the MalloDroit tool created by the researchers to automatically check the security of the available apps, would also help.
IT Pro contacted Google, who declined to comment on the findings.
The full research paper is available to read via the University of Hannover website.