Pierluigi Paganini September 08, 2014

The CERT has published the results of its test conducted on popular Android applications that fail to properly validate SSL certificates.

In several posts we have discussed about the improper validation of  SSL certificates made by mobile devices, recently we mentioned the case of the Gmail app for iOS devices which, according to an expert at mobile security firm Lacoon, doesn’t perform the certificate pinning procedure when establishing a trusted connection to the service provider. The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.

The CERT Coordination Center at Carnegie Mellon University (CERT/CC) has published a list of popular Android applications that don’t implement correctly the SSL certificate validation, and the problems is widespread.

Recently security experts at FireEye evaluated the level of security offered by 1,000 of the most popular free apps offered on Google Play, also in this case the results are shocking, 68% of the app doesn’t check server certificates and 77% ignores SSL errors. According to the CERT, the applications are using vulnerable libraries, such as the Flurry and Chartboost ad libraries, for this reason Android users are exposed to the risk of attacks. Despite FireEye notified the flaws to the developers  the CERT pointed out that only a few companies took steps to secure their products.

On October 2013, German researchers Beekman and Thompson published a study that revealed that many applications failed to properly implement SSL exposing users to basic Man-In-The-Middle attacks. In 13,500 of the most popular free applications on Google Play at the time, 8% implemented a vulnerable SSL and some of them collected a substantial amount of personal information.

The CERT conduced a wide-scale automated dynamic tests on the most popular Android mobile apps, its experts used for the test the CERT Tapioca tool, which is “a network-layer man-in-the-middle (MITM) proxy VM that is based on UbuFuzz and is preloaded with mitmproxy.”

The tool allows experts checking for apps that fail to validate digital certificates and Investigating traffic of any http/https traffic. Differently from the past, the researchers at CERT will contact every development team which designed the application that fail the test, the scope is to make them aware of the vulnerability and to provide suggestion to fix them.

Below the description for the activity published in a blog post by the CERT:

Here is where CERT’s work is providing value:

1. We are performing a wide-scale automated dynamic test. Static analysis goes only so far. Just because an application looks like it may fail to check a certificate, that doesn’t necessarily mean that the code is even used by the application. The false-positive rate for such analysis is likely high.
2. We are notifying the author of every application that fails the dynamic testing described above. In our reports to these authors we include mallodroid static analysis output, a list of the URIs visited by the application while under test, and the mitmproxy log file produced by CERT Tapioca. We also include references to Google andCERT guidance for how to handle certificates in Android applications.
3. We will list affected Android applications in the CERT vulnerability note for this issue, VU#582497.

The CERT also made public a spreadsheet which contains the list of the tested applications, the test results and many other information, including the CVE identifiers (e.g. CVE-2014-6024, CVE-2014-6025, CVE-2014-5524) for the vulnerabilities discovered by its team.

CERT clarified that it has decided to publish the names of flawed apps without giving developers time to address the vulnerabilities because this move gives an advantage to the end-users.

“If an attacker is interested in performing MITM attacks, they’re already doing it. That cat is already out of the bag. They’ve likely set up a rogue access point and are already capturing all of the traffic that passes through it,”  “If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks.” said CERT/CC vulnerability analyst Will Dormann.

The activity is very positive and according to the CERT, the experts will update continually VU#582497 and any resources that the document uses, they intend to work closely with authors to improve the security of the most popular app.

Pierluigi Paganini

(Security Affairs – MITM , CERT, Mobile)