Android apps 'leak' personal details

[Muhammad Farrukh]

Millions of people are using Android apps that can be tricked into revealing personal data, research indicates.

Scientists tested 13,500 Android apps and found almost 8% failed to protect bank account and social media logins.

These apps failed to implement standard scrambling systems, allowing "man-in-the-middle" attacks to reveal data that passes back and forth when devices communicate with websites.

Google has yet to comment on the research and its findings.

Researchers from the security group at the University of Leibniz in Hanover and the computer science department at the Philipps University of Marburg tested the most popular apps in Google's Play store.

By creating a fake wi-fi hotspot and using a specially created attack tool to spy on the data the apps sent via that route, the researchers were able to:

• capture login details for online bank accounts, email services, social media sites and corporate networks
  
• disable security programs or fool them into labelling secure apps as infected
  
• inject computer code into the data stream that made apps carry out specific commands
  

An attacker could even re-direct a request to transfer funds, while making it look to the app user like the transaction was proceeding unchanged.

Some of the apps tested had been downloaded millions of times, the researchers said.

And a follow-up survey of 754 people suggests users could struggle to spot when they were at risk.

"About half of the participants could not judge the security state of a browser session correctly," the researchers wrote.

"Most importantly, research is needed to study which counter-measures offer the right combination of usability for developers and users, security benefits and economic incentives to be deployed on a large scale."

[Radium]

I don't like how most apps wants access to personal stuff.

[LittleNeutrino Veteran]

Most of these apps are garbage that people download because it looks like a free version of a popular app or people just do not read the permissions prior to agreeing to installing an app. Thankfully Google is implementing a system now that will check apps for malicious intent prior to posting on the store.

I don't like how most apps wants access to personal stuff.

Most apps do not require access to personal information. Generally just games with Social Network integration.

[Phouchg]

The main problem in the permissions system of Android is that one cannot allow or deny them separately and on a case-by-case basis. It's opposite to how any remotely useful permissions system works by default - and that would be "deny everything unless I've personally told otherwise" (UAC/Superuser/root like). As it becomes more and more problematic, I'd even support "deny takes precedence over allow" (NTFS-like; prone to owner being unable to write to its own stuff, but it's rare enough)

Android permissions system has been designed so because of ads and information snooping exactly in mind instead of being ignored. Ads would become highly impractical and information leaks virtually impossible had the internet access (and access to data) been denied by default. And, if every such access alerts user, illegal malware would have to look for less obvious ways as well.

[remixedcat]

I only get apps from trusted sources. I watch out for who made it. Most just blindly download some stupid fart app and don't care

[Phouchg]

I only get apps from trusted sources. I watch out for who made it. Most just blindly download some stupid fart app and don't care

1. Users want to click on things.
   
2. Code wants to be wrong.
   
3. Services want to be on.
   
4. Security features can be used to harm.
   

Four irrefubtable security laws , by Malcolm Harkins, Intel's CISO

While background information flow can (but won't) be limited and controlled to some extent, there's absolutely no cure against the first one.

[n_K]

How is this a surprise? On my ipod I visit my server with a self signed certifcate, it automatically connects and doesn't give me an error like firefox or IE or everything else does (not that it bothers me). And I remember when I was coding an app for iOS the other year and connecting to HTTPs domains that had certificates that didn't even match the domain it was connecting to - again, no warnings...

[Growled Member]

I only get apps from trusted sources. I watch out for who made it. Most just blindly download some stupid fart app and don't care

I'm the same way. My wife on the other hand just clicks anything and everything and then she wonders why she has so much trouble with her phone.

[remixedcat]

I'm the same way. My wife on the other hand just clicks anything and everything and then she wonders why she has so much trouble with her phone.

I mostly only get stuff from legit companies....

[Josh_LosAltosHills]

so is this something that should alter me buying an S3? I'm buried in Apple and MS eco systems so Android would be completely new to me.

[remixedcat]

so is this something that should alter me buying an S3? I'm buried in Apple and MS eco systems so Android would be completely new to me.

Just look at the permissions before you download

[Raa]

I'm sorry, but if you download "Hot pictures 2012" from the app store, you're just asking to have your personal data leaked. :rolleyes:

Use a bit of common sense...

[_BeanZ_]

The fact that everyone seems to be overlooking is that this report isn't about questionable apps requesting permissions they don't need and then siphoning off your details to all and sundry; this is about legitimate apps sending credentials over non-secure connections and being subject to MITM attacks.