Tuesday, 27 January 2015

Research: Weak Encryption In Popular Android Apps


Many of the popular free Android apps in the Google Play store use weak encryption to protect sensitive information. Which claims that the US security firm FireEye 9339 apps with more than 1 million downloads analyzed . Of these, 8261 were found to use a cryptographic functionality of the Android platform. 8261 of these apps again proved 5147 apps (62%) contain one or more cryptographic vulnerabilities.

It involves, for example using static keys for encryption. These keys can be removed from the app and then to decrypt the data. This was 21% of the apps the case. Furthermore, 58% had to use a weak encryption algorithm that the apps are vulnerable to certain attacks. For a handful of apps was also developed an attack. One of these apps accepted all dished SSL certificates, allowing attackers to perform a man-in-the-middle attack.

According to the researchers cryptographic vulnerabilities are a serious threat because they enhance the effectiveness of other attacks. Through the misuse of SSL could intercept an attacker instance sensitive information. "This problem is compounded by root exploits in which an attacker rooting a device can determine which apps are installed to send random data for offline decryption" concludes researcher Adrian Mettler.

No comments:

Post a Comment