Microsoft, eBay apps open to man-in-the-middle diddle

Android apps enter SSL hell

At least 350 Android apps are open to man-in-the-middle MITM attacks, thanks to code that fails to validate certificates over secure sockets layer (SSL), says US Computer Emergency Response (CERT) security pro Will Dormann.

The apps can be found in the Google Play and Amazon stores and have been included in a continually updated document created by the CERT.

Popular vulnerable apps include the Microsoft Tech Companion, an eBay Germany app and software for the Australian supermarket chain Coles' Credit Card.

Dormann said the authors of the affected apps were being notified but were not given the organisation's normal 45-day head's up before the information was made public due to the likelihood of attack.

"If an attacker is interested in performing MITM attacks, they're already doing it," Dormann said in a post.

"That cat is already out of the bag. They've likely set up a rogue access point and are already capturing all of the traffic that passes through it.

"Knowing which specific applications are affected does not give any advantage to an attacker."

The Coles app is billed by the company as "secure" and allows users to access their Coles credit card accounts with a username and password. That information could be intercepted by attackers eavesdropping on a users' wireless network through MITM attacks.

Many of the affected apps were still online even after Dormann's alerts.

The information could allow users to uninstall affected apps until fixes were produced or could run it over trusted networks.

The CERT was running a large automated and dynamic analysis of apps using its SSL-probe tool CERT Tapioca.

Without the tool it would take will about eight years to manually analyse each app available on the Play Store and Amazon. ®

Biting the hand that feeds IT © 1998–2021