Ask yourself the following question, and answer as truthfully as you can: do you really know how safe and secure your Android apps are?
There is a good chance that you have no idea the kind of permissions and access some apps require, and to further compound some frustration, most of the popular free Android apps have SSL/TLS vulnerability.
In simple terms, the apps can leave you open to attacks from the man-in-the-middle (MITM). The FireEye Mobile Security Team undertook an analysis of the 1 000 most popular free apps that is available in the Google Play store – and found the shocking vulnerability state.
What the team did, was look at how the apps communicate with their servers, whether it was through a secure network, which protocols they used, and if the apps implemented the Android platform’s SSL libraries correctly. The short answer is ‘no’.
“Do they use trust managers that check certificate chains from remote servers? Does the hostname of the server extracted from the CA-issued certificate match the hostname of the server the application intends to connect to? Do the apps ignore SSL errors in WebKit (a component that renders server pages in mobile applications)?” the team explained.
After all the testing and analysis, it was found that from the 1 000 apps, 614 applications use SSL/TLS but 448 didn’t check the security certificates. There was a small number (approx. 8%) that use their own hostname verifiers but didn’t check hostnames. One of the biggest concerns were that 285 apps used Webkit but 77% of them ignored SSL errors generated in it.
“Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality,” FireEye Mobile Security Team explained.[Source – Net Security]