It appears from an independent SSL certificate testing performed on various Android apps that Google failed to authenticate the security of approximately 250 apps in its Play Store, and counting.
Will Dormann, a researcher from the CERT Coordination Center at Carnegie Mellon University, compiled the hundreds of Android apps in a spreadsheet published on CERT’s website and showing which apps users should avoid installing on their mobile devices for potential data loss and security breach.
The unauthenticated apps reside both in Google Play Store and Amazon app store, and as of this writing the number of apps vulnerable to man-in-the-middle attacks most likely continues to tick up as Dormann keeps adding to the list. Considering that Android and Amazon combined represent a very considerable number of Android users in the market. This calls for serious attention, both from users and the companies involved.
The method used to determine that those apps are vulnerable to attacks was launched last month, called CERT Tapioca, through which random Android apps were tested for MITM attacks. Although the researcher acknowledged the fact that he tested only a small fraction of the Android ecosystem, the testing is ongoing and probably more apps will be revealed in the coming days.
Dormann promised to update the spreadsheet once more apps are found to fail the SSL certification testing. He is also informing Google and Amazon about the status of apps in their respective platforms, as well as the app authors.
It turns out, according to the researcher, that those companies are not performing the same SSL certificate testing on the apps being introduced to their online marketplace. That is a surprising revelation indeed for Google in particular has been coming off lately as taking measures to beef up security across all its services.
It also appears that a proactive move toward mitigating risky apps has yet to be seen from Google and Amazon despite their vast resources, expertise and pool of talent to be able enough to do that.
The apps that have poor SSL compliance range from games, music and productivity apps. However, it is hard to determine whether the vulnerabilities found in those apps are deliberate or unintentional, according to the researcher.
The problem firsthand also lies in the poor performance of an app if the SSL validation feature is enabled. Developers, as a convention, disable it for the app to play with smooth performance. But before publishing the app to the app stores, the SSL certification must be enabled, which they most often forget.