Popular Android Apps Leaking Your Credit Card Data And Facebook Password
Bangalore: A new report on Android apps will upset millions of Android users worldwide, as researchers have uncovered severe security flaws in some most popular Android applications which leak the users’ data, ranging from credit card information and email content to social networking site passwords.
Out of the 13,500 apps tested by the security group at Leibniz University of Hannover and Philipps University of Marburg, 8 percent found to leak data to “man-in-the-middle” attacks. Moreover, they found that many Android apps in Google Play Store, failed to implement standard scrambling systems.
Researchers created a fake Wi-Fi spot and used an attacking tool to spy on data send by apps via mobile route. They were successful in capturing the login details of online bank accounts, email, social media sites and corporate accounts. The researchers were also successful in easily disabling security programs and inject codes into data stream that made apps to carry out specific functions.
An attacker could even redirect the ‘transfer fund’ commands from app and could make the user believe that they have successfully processed the request.
According to the researchers, “Of the 100 apps selected for manual audit, 41 apps proved to have exploitable vulnerabilities. We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.”
The researchers denied to disclose the name of tested apps but revealed that some of them were downloaded millions of times. They gave a hint on a service, which is a “very popular cross-platform messaging service,” that easily leaks telephone numbers from users’ directories. Also they hinted on some services like, “When using a Facebook or Google account for login, the app initiates OAuth login sequences and leaks Facebook or Google login credentials.”
Google declined to comment to Mashable on the report.
