Slapdash SSL code puts tons of top Android Play Store apps in hack peril Sloppy programming, poor patching, and unreliable trust engines are rife within Android apps, according to a new study. In short, millions smartphone users are potentially wide open to man-in-the-middle attacks, it's claimed. Researchers at security firm FireEye went through the 1,000 most popular Android applications from the …
Google Play has no approval process, so tests like this can't be part of it. :)
I wonder, though, whether the Apple approval process includes testing for weak SSL checking. From my understanding there's no real security testing done as part of Apple's approval process. It would be interesting to see the results of the same test being done against the top 10,000 iOS apps, I would expect much the same result.
After all, if there is one consistency between iOS and Android, it's poorly coded apps.
Google Play has no approval process, so tests like this can't be part of it. :)
Google does have an automated process for scanning apps for malware. It sounds like SSL tests should be part of that. Fortunately it's quite straightforward to run each app in a sandbox and attempt to MitM any outgoing SSL connections. If the app doesn't immediately close the connection, it should be considered vulnerable.
My strong guess is that Apple's approval process consists mostly of making sure there's nothing in the app that will impact Apple's bottom line. Everything else, and that definitely includes security and privacy is very much secondary.
Disclaimer: I have an iThingie. Ooo-errrr!
Trust management problems in 73 percent of the top 1000 apps, but only 36% of the next 9,000 most popular apps. Webkit issues in 77% of the top 1000, but just 6% of the next 9,000. Why are the most-downloaded apps so much more prone to security problems than ones that aren't quite as popular?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
