CERT disclosed the list of most popular vulnerable Android apps

The CERT has published the results of its test conducted on popular Android applications that fail to properly validate SSL certificates.

In several posts we have discussed about the improper validation of SSL certificates made by mobile devices, recently we mentioned the case of the Gmail app for iOS devices which, according to an expert at mobile security firm Lacoon, doesn’t perform the certificate pinning procedure when establishing a trusted connection to the service provider. The failure of the certificate pinning procedure exposes users to the risk of MitM attacks and consequent theft of sensitive information.

The CERT Coordination Center at Carnegie Mellon University (CERT/CC) has published a list of popular Android applications that don’t implement correctly the SSL certificate validation, and the problems is widespread.

Recently security experts at FireEye evaluated the level of security offered by 1,000 of the most popular free apps offered on Google Play, also in this case the results are shocking, 68% of the app doesn’t check server certificates and 77% ignores SSL errors. According to the CERT, the applications are using vulnerable libraries, such as the Flurry and Chartboost ad libraries, for this reason Android users are exposed to the risk of attacks. Despite FireEye notified the flaws to the developers the CERT pointed out that only a few companies took steps to secure their products.

On October 2013, German researchers Beekman and Thompson published a study that revealed that many applications failed to properly implement SSL exposing users to basic Man-In-The-Middle attacks. In 13,500 of the most popular free applications on Google Play at the time, 8% implemented a vulnerable SSL and some of them collected a substantial amount of personal information.

The CERT conduced a wide-scale automated dynamic tests on the most popular Android mobile apps, its experts used for the test the CERT Tapioca tool, which is “a network-layer man-in-the-middle (MITM) proxy VM that is based on UbuFuzz and is preloaded with mitmproxy.”

The tool allows experts checking for apps that fail to validate digital certificates and Investigating traffic of any http/https traffic. Differently from the past, the researchers at CERT will contact every development team which designed the application that fail the test, the scope is to make them aware of the vulnerability and to provide suggestion to fix them.

Below the description for the activity published in a blog post by the CERT:

Here is where CERT’s work is providing value:

We are performing a wide-scale automated dynamic test. Static analysis goes only so far. Just because an application looks like it may fail to check a certificate, that doesn’t necessarily mean that the code is even used by the application. The false-positive rate for such analysis is likely high.
We are notifying the author of every application that fails the dynamic testing described above. In our reports to these authors we include mallodroid static analysis output, a list of the URIs visited by the application while under test, and the mitmproxy log file produced by CERT Tapioca. We also include references to Google andCERT guidance for how to handle certificates in Android applications.
We will list affected Android applications in the CERT vulnerability note for this issue, VU#582497.

The CERT also made public a spreadsheet which contains the list of the tested applications, the test results and many other information, including the CVE identifiers (e.g. CVE-2014-6024, CVE-2014-6025, CVE-2014-5524) for the vulnerabilities discovered by its team.

CERT clarified that it has decided to publish the names of flawed apps without giving developers time to address the vulnerabilities because this move gives an advantage to the end-users.

“If an attacker is interested in performing MITM attacks, they’re already doing it. That cat is already out of the bag. They’ve likely set up a rogue access point and are already capturing all of the traffic that passes through it,” “If end users have vulnerable applications on their phones, knowing which applications are affected does give an advantage to the defenders. They can choose to uninstall vulnerable applications until fixes are available, or if they must, they can choose to use said applications only on trusted networks.” said CERT/CC vulnerability analyst Will Dormann.

The activity is very positive and according to the CERT, the experts will update continually VU#582497 and any resources that the document uses, they intend to work closely with authors to improve the security of the most popular app.

Pierluigi Paganini

(Security Affairs – MITM , CERT, Mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.