SAN FRANCISCO – Android developers whose apps fail to validate SSL certificates are on notice; not only are researchers scanning apps making insecure connections, but so is Google. And the hammer may fall soon.
Will Dormann, a researcher with CERT at the Software Engineering Institute at Carnegie Mellon University, today at RSA Conference shared new data collected by the organization’s free-of-charge CERT Tapioca tool, a transparent proxy capture appliance that does man-in-the-middle traffic analysis looking for such issues.
Tapioca passed 1 million applications scanned earlier this year, finding 23,667 vulnerable apps making shaky SSL connections, a number that dwarfs the original 350 that were discovered and published in September on a spreadsheet built by Dormann and CERT.
Since the scans stopped in January, CERT said it began notifying the respective app developers of its findings, and the results were sometimes unintentionally funny, ranging from some developers finding the notifications outright harassing, to others demonstrating ignorance over SSL, while most simply ignoring them. The most important number, however, the number of email responses to CERT with fix details, was a discouraging 0.1 percent.
“Contacting the author is not as effective as it should be,” Dormann said. “When you’re essentially doing cold calls to developers and non-developers, it’s hard to get a good response. Still, I was hoping it would be higher.”
One plus is that Google has taken notice as well, and lead engineer for Android security Adrian Ludwig said some developers have been put on notice.
“We have sent out warnings to developers who are not properly using certain crypto libraries,” Ludwig said. “We plan on becoming more strict over time in terms of enforcement. Google Play policy states that if an application is vulnerable, it can be taken down. The hardest problem in software is getting people to update; and you have to balance that rate with the rate at which you compel developers to update apps. We’ve done some warnings, and we’ll do more in the future.”
The apps on the CERT list are currently available in Google Play and range from games, to music, productivity apps and most other categories. Apps that don’t properly verify SSL connections are open to man-in-the-middle attacks and a hacker may then sniff traffic or impersonate the destination website. In either case, the client is likely not communicating to its intended destination, and the hacker could be intercepting what is supposed to be encrypted traffic.
“What I would like to see is more thorough testing [from Google],” said Dormann. “Whatever Google is doing to validate apps, it’s possible they could add another aspect to it. So if they’re doing just static analysis, it’s possible if they add dynamic analysis as well, they might get a better view of apps that are not doing the right thing.”
There are some reasons developers shut off certificate validation, despite the fact that SSL checking is on by default, Dormann said.
“Why would someone purposely turn it off? If someone has an internal development center and it’s not on the Net, they could have turned off validation during development and when they published to Google Play, they forgot turn it back on,” Dormann said. “Another thing that’s plausible, if you’re a developer and looking for some code that does something, and if the first thing that comes up works, you choose it and you might not understand the significance of every line you’re copying and pasting. That’s the case for any language.”