Android apps used by millions vulnerable to password, e-mail theft
Android applications downloaded by as many as 185 million users can expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.
The researchers identified 41 applications in Google's Play Market that leaked sensitive data as it traveled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services. By connecting the devices to a local area network that used a variety of well-known exploits, some of them available online, the scientists were able to defeat the secure sockets layer and transport layer security protocols implemented by the apps. Their research paper didn't identify the programs, except to say they have been downloaded from 39.5 million and 185 million times, based on Google statistics.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers, from Germany's Leibniz University of Hannover and Philipps University of Marburg, wrote. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." Other exposed data included the contents of e-mails and instant messages.
A Google spokesman declined to comment. There was no evidence any of the vulnerable apps were developed by Google employees, although the researchers said there are steps Google engineers could take to better ensure Android apps implement the encryption more securely.