Research: Android smartphone apps leave user data open to attack

Android robot

Android users are at risk of exposing personal information to third parties as thousands of apps fail to encrypt data in transit, research shows.

The investigation, carried out by German researchers at the University of Hannover and Philips University of Marburg, found that almost 8 per cent of apps did not protect bank account and social media logins.

The failure of these apps, which were among the 13,500 most popular free apps on the Google Play Market, to encrypt user data leaves them open to so-called man-in-the-middle' (MITM) attacks.

These allow attackers to intercept messages sent and received by the app over the internet and, in some cases, alter them.

37 per cent of IT pros thought they were using a secure connection when they were not.

The research was conducted using a specially created wi-fi hotspot and two MITM attackers Eve, which passively monitors data in transit, and Mallory, which can tamper with communications.

These tools allowed researchers to capture login details for services such as online bank accounts and corporate networks. Researchers could also disable security programmes or fool them into labelling secure apps as infected.

It was even possible for an attacker to re-direct a request to transfer funds, while making it appear the transaction was proceeding unchanged.

Another area for concern was a lack of knowledge amongst consumers.

Almost half of non-IT experts surveyed by the researchers said they were using a secure connection, when they were using normal HTTP. Even those with prior IT training (34.7 per cent) made the same mistake.

The researchers proposed several ways for end users to protect themselves.

These include solutions that are integrated into the Android OS, such as enforced certificate checking and HTTPS everywhere. Marketplace offerings, such as using the MalloDroit tool created by the researchers to automatically check the security of the available apps, would also help.

IT Pro contacted Google, who declined to comment on the findings.

The full research paper is available to read via the University of Hannover website.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.