A growing compilation of close to 350 Android applications that fail to perform SSL certificate validation over HTTPS has been put together by the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University.
Researcher Will Dormann created a large spreadsheet hosted on the CERT/CC site listing Android applications found on both the Google play and Amazon stores that fail to validate digital certificates, leaving them exposed to man-in-the-middle attacks.
Dormann said the spreadsheet is a living document and more applications are currently being tested and will be added to the list. On Aug. 21, CERT/CC released a tool called CERT Tapioca that was used to perform man-in-the-middle testing on the Android applications.
“We tested only a small fraction of applications that are available. The testing we’re doing is an ongoing thing,” Dormann said. “The spreadsheet will be updated continually as we find more vulnerable apps. We’re notifying the authors too.”
Similar research efforts stopped short of notifying the application authors, Dormann said. “Likely those apps were not fixed,” he said. “That’s part of our motivation to take a proactive stance to get apps fixed versus just publicly stating that there is a problem.”
Dormann said he also notified both Google and Amazon of his research and hopes that it will spur both organizations to do similar validation testing on applications before they are allowed to be hosted on their respective app stores.
“It’s my understanding that Google is not performing this type of validation,” Dormann said. “My perspective on this is that if I can perform this type of testing, that it could be something that Google or Amazon, or other app store operators, may do for proper SSL validation. It’s something that maybe they could do on their end.”
Most of the apps on the list are currently available in the respective app stores. The apps ran the gamut from games, to music, productivity and everything in between. If available, a CVE number is provided for each app, as well as a notation of whether credentials are weak or at risk.
“No one can determine intent as to whether the apps are intentionally malicious,” Dormann said. “It would be my assumption that it’s a mistake the author made while developing the app.”
Dormann said developers sometimes disable SSL validation while testing apps on an internal infrastructure that may not play nicely with validation. Developers may forget to re-enable validation before it’s published to an app store.
The result is that the app is vulnerable to a man-in-the-middle attack where a hacker could take advantage of the situation to impersonate the destination website. If the client application does not validate the certificate, the client is likely not communicating to its intended destination, and the hacker could be intercepting what is supposed to be encrypted traffic.
In a blog post published today, Dormann explains his proof-of-concept experiment using Tapioca to find vulnerable apps. Using the tool automates the test and allows it to scale, even though it’s manually testing the million or so apps in the Google Play at the moment.