I have previously written (here, here, here, and here) about Android apps that fail to validate SSL certificates. CERT has started to name and shame libraries and apps that their Tapioca tool has detected to be vulnerable to Man In The Middle (MITM) SSL attacks. There’s a blog post on how they have automated the analysis, a vulnerability note explaining the problem and a large spreadsheet of vulnerable libraries and apps.
Libraries that have been found to be vulnerable are Flurry, Chartboost, Adcolony, MoMinis, Inmobi, Tapjoy, Appsflyer, Gameloft, Zopim, Fiksu and Batch of which only the first two, Flurry and Chartboost are noted as fixed.
CERT are testing one app at a time so progress is slow. Nevertheless, over 1000 apps are listed as having failed. However, some of these failed because of the included vulnerable libraries.
If you think this is just an Android specific problem then you might like to consider that Veracode previously found 7% of Android apps and 33% of iOS apps had cryptographic problems. Developers can be inexperienced or lazy on both platforms.
- Listening in on Android Apps
- Android Security Perfect Storm Pending?
- Android Malware War of Words
- How To Write Secure Android Apps
- Android vs iOS Security
- Conceal for Secure Android File Encryption
- Banking Apps Leaking Information
- Android App Analysis
- Securing Your Private Parts
- SSL Apps Vulnerable to Attack
- Mercury Android Security Assessment
- Android Vulnerability
- Safe Coding for Android Apps