VPN Articles and News

Popular Android and Amazon Apps Vulnerable To Attacks

By Paul Liu
Wednesday, November 12th, 2014

According to Computer Emergency Response Team (CERT), more than 350 popular Android and Amazon apps are vulnerable to man-in-the-middle (MITM) attacks due to improper validation of security certificates while handling secure (HTTPS) requests. CERT has even gone ahead and published the list of affected apps in a document that is being updated on a regular basis (you can see the list here). If you look closely at the list, you will find a lot of ecommerce, security, gaming, mobile banking and ticket sales apps plus you will also notice that even apps from big corporations like Microsoft and eBay are not secure from this vulnerability.

Whenever a new security flaw is discovered, security companies usually communicate the problem to the affected parties and wait for 45 days before releasing its information to the general public. But due to the severity of the flaw and the sheer number of apps affected by it, CERT has decided to make the information public within days of discovering the problem. While this may seem counter-intuitive, the organization clearly believes that criminals who are aware of the vulnerability are probably already using it to perform MITM attacks and steal data from others. The list of affected apps is intended to make the general public more aware about the security risk and not to help hackers carry out more attacks.

If you are wondering how criminals can use this information for their benefit, well they can use the public Wi-Fi networks to steal data from people who are using the affected apps plus they may even set up their own rogue networks and lure people into revealing their confidential data. Since there are quite a few ecommerce and mobile banking apps in the above list (for example, Coles’ Credit Card app, ebay Germany mobile shopping app etc.), criminals can easily steal financial information from unsuspecting users. The scary part is that the vulnerability probably affects millions of Android and Amazon users since most of the apps mentioned in the list have been installed thousands or even millions of times.

To help app creators analyze the security of their apps, CERT has also released a tool that is specifically designed to test SSL vulnerabilities in apps. The tool is called CERT Tapioca and is available at http://www.cert.org/blogs/certcc/post.cfm?EntryID=203. Tapioca is capable of performing automated security checks and informing whether a particular app is affected by the above mentioned HTTPS vulnerability within minutes. Since there are millions of apps available for Android and Amazon platforms, using an automated tool like Tapioca is essential to discover the severity of the problem otherwise it could take years just to learn the names of the apps affected by this flaw.

If you are an Android or Amazon user then you need to do few things to secure your data from this vulnerability. First of all, you must find out whether the apps that you use in your day-to-day life are affected by this flaw. This can be done by going through the list of apps published by CERT. If you discover your favorite apps in the list, uninstall them from your device and do not use them until they have been patched by the developer. It would also help to change the passwords of the affected websites just to be sure that your data has not been compromised by the criminals. Finally, you must use a privacy tool like a VPN to make sure that hackers are not able to steal your private data when you are connected to a Wi-Fi network.