A report has alleged that Android apps that can be altered into revealing personal data. This could affect millions of users of smartphones.
Research undertaken by the University of Leibniz in Hanover and the computer science department at the Philipps University of Marburg examined 13,500 Android apps. The research found that around 8% (1000 apps) failed were unsecure. The phones tested were using Android 4.0.
These apps did not, for example, protect bank account and social media login details. The apps, which were commercially available via Google's Play store, did not activate standard scrambling systems. This meant that the apps were accessible to attacks which could trigger the revelation of the data that is transmitted between the apps and a website.
For the research, the university team created a fake Wi-Fi hotspot and using a specially created attack tool to spy on the data the apps sent via that route. This means that if an Android smartphone or a tablet is connected to a vulnerable local area network, such as a Wi-Fi hotspot, an attacker could potentially crack the security protocols used by the apps and collect the data they exchange.
Quoted by PC Mag, the researchers said: “From these 41 apps, we were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.”
According to the BBC, by using the fake router the researchers were able to:
Capture login details for online bank accounts, email services, social media sites and corporate networks;
Disable security programs;
Inject computer code into the data stream that made apps carry out specific commands.
It was even possible to re-direct a request to transfer funds, which obviously had a serious implication for users’ bank accounts.
According to TechHive, the report also stated that the typical smartphone user would not know when they were at risk and when an app was not behaving as it should do.
Although the researchers did not name the vulnerable apps, the implication of the research is that stronger counter-measures are required to protect smartphone users and to make commercially available apps more secure.