back to article Slapdash SSL code puts tons of top Android Play Store apps in hack peril

Sloppy programming, poor patching, and unreliable trust engines are rife within Android apps, according to a new study. In short, millions smartphone users are potentially wide open to man-in-the-middle attacks, it's claimed. Researchers at security firm FireEye went through the 1,000 most popular Android applications from the …

  1. gregthecanuck

    Sounds like the Google Play Store should do this same type of testing prior to approval.

    1. mirobaka

      Google Play has no approval process, so tests like this can't be part of it. :)

      I wonder, though, whether the Apple approval process includes testing for weak SSL checking. From my understanding there's no real security testing done as part of Apple's approval process. It would be interesting to see the results of the same test being done against the top 10,000 iOS apps, I would expect much the same result.

      After all, if there is one consistency between iOS and Android, it's poorly coded apps.

      1. Daniel Voyce

        I was wondering the same thing - just because there is an approval process in iOS apps doesn't necessarily mean there is a code review process to weed out stuff like this.

      2. gregthecanuck

        >> Google Play has no approval process, so tests like this can't be part of it. :)

        Well, that's scary! One more reason to avoid an Android phone.

      3. codebeard

        Google Play has no approval process, so tests like this can't be part of it. :)

        Google does have an automated process for scanning apps for malware. It sounds like SSL tests should be part of that. Fortunately it's quite straightforward to run each app in a sandbox and attempt to MitM any outgoing SSL connections. If the app doesn't immediately close the connection, it should be considered vulnerable.

        1. Rich 2 Silver badge

          Approval needed

          My strong guess is that Apple's approval process consists mostly of making sure there's nothing in the app that will impact Apple's bottom line. Everything else, and that definitely includes security and privacy is very much secondary.

          Disclaimer: I have an iThingie. Ooo-errrr!

          1. Anonymous Coward
            Anonymous Coward

            Re: Approval needed

            I've seen an app that needs to be connected to a backend server get into iTunes without that backend server ever getting a hit from the app outside of the office it was developed in..

      4. Brewster's Angle Grinder Silver badge

        @mirobaka

        "After all, if there is one consistency between iOS and Android, it's poorly coded apps."

        Repeated market tests shows consumers won't pay for quality code.

  2. Kanhef

    Interesting statistics

    Trust management problems in 73 percent of the top 1000 apps, but only 36% of the next 9,000 most popular apps. Webkit issues in 77% of the top 1000, but just 6% of the next 9,000. Why are the most-downloaded apps so much more prone to security problems than ones that aren't quite as popular?

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting statistics

      probably because they dont actually do anything...just like the bottom amateur apps in the itunes cr*p store...

    2. Brewster's Angle Grinder Silver badge

      Re: Interesting statistics

      Do not tell my boss that the crappier the coding, the more popular the app.

      Serious Answer: I would guess that the top 1000 are more likely to be ad supported, and so more likely to be using the buggy advertising libraries, than the remaining 9,000

  3. Anonymous Coward
    Trollface

    Well what did they expect using a library called "Slapdash SSL"?

    Asking for trouble if you ask me.

  4. Anonymoist Cowyard
    FAIL

    Pot and Kettle?

    "Sloppy programming"

    Have you seen the user reviews of the Android The Register app.

    I rest my case...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020