Of the 13,500 Android apps tested by scientists from two German universities, 1,074 did not employ standard scrambling systems, resulting in “man-in-the-middle” attacks which reveals data that passes back and forth when devices communicate with websites.
One app can even be tricked into allowing an attacker to re-direct a request to transfer funds without the app user’s knowledge.
The most popular apps in Google’s Play store were tested by scientists from the security group at the University of Leibniz in Hanover and the computer science department at the Philipps University of Marburg. Some of the apps tested had been downloaded millions of times.
The researchers created a phony Wi-Fi hotspost using an attack tool to scrutinize data the apps sent through that route.
This enabled the researchers to:
- Snag login information for online bank accounts, e-mail services, social media sites and corporate networks.
- Either halt security programs altogether or dupe them into classifying secure apps as infected.
- Include computer code in the data stream to force apps to obey particular commands.
“About half of the participants could not judge the security state of a browser session correctly,” the researchers wrote. “Most importantly, research is needed to study which counter-measures offer the right combination of usability for developers and users, security benefits and economic incentives to be deployed on a large scale.”
Google has yet to comment on the findings.