A team of German researchers has discovered serious vulnerabilities in 41 applications present on Google Play – from Android- that have been downloaded between 39.5 and 185 million times . These security flaws can allow access to online banking information, social networks, email or instant messaging services.
The problem is that all these applications use an encryption system ineffective, according to information submitted by these researchers and collected by Ars Technica.
To find out, the devices connected to a local network that used various exploits known to those who managed to overcome the security layers.The key was in the SSL and TLS protocols.
But it all started with downloading one free app 3500 Google Play that were subjected to statistical analysis. With him was discovered if SSL implementations Android were potentially vulnerable to these exploits or not. The 8% (1074) was.
Researchers analyzed in depth 100 of these 1074 applications and found that in some cases accept SSL certificates signed by them rather than by a valid authority. In others, the certificates authorizing different domain names to those who accessed the app.
Thus, for example, found that a “very popular cross-platform messaging service” several tens of millions of users (the study does not name any of the applications analyzed) exposing the phone numbers stored in the phonebook.