Fourteen apps, which combined represent an estimated 80 million downloads, have serious flaws in the way they handle social logins, according to an analysis by AppBugs.
AppBugs, which makes an app for tracking security vulnerabilities, found the problems in a variety of Android apps, all of which use social logins — in which you log in to the app using your Google, Microsoft, Facebook, Twitter, or similar accounts. For example:
- Astro File Manager exposes the passwords of Microsoft accounts. Astro has between 50 million and 100 million downloads, according to Google Play.
- MeituPic exposes its users’ Facebook, Baidu, and Renren.com accounts. MeituPic has between 10 million and 50 million downloads, Google Play reports.
- gReader, a popular news app, is, in AppBug’s words, “completely exposing all social accounts of the users, including Facebook, Google, Twitter, Microsoft, and Evernote.” It has between 1 million and 5 million downloads.
(The complete list of apps identified by AppBugs is below.)
These problems are due to flaws in the way the apps handle SSL certificates, which web servers use to verify their identities. The flaws make it possible for an attacker to use a forged SSL certificate, enabling their own server to receive the users’ login credentials.
AppBugs’ chief technology officer and cofounder Rui Wang said that there was no single cause of the vulnerabilities in these apps.
“The vulnerable apps may be using a social library which is vulnerable, or they may put some vulnerable code by themselves due to whatever reason,” Wang said. “Sometimes it could be that the developers changed the library by themselves and introduced the bug.”
AppBugs said that it contacted each of these apps’ developers between one and four months ago, but it has received almost no responses.
“Until now, only 1 developer (Foxit MobilePDF) fixed the issue,” Wang said. “So it is really concerning that those developers do not act to protect the important user accounts.”
It is not uncommon for apps to transmit usernames and passwords in plain text, according to security experts. Many app developers are not sophisticated about security techniques and can often unwittingly introduce vulnerabilities into their code.
AppBugs itself makes an app that can help developers and end-users mitigate the risk from these apps.
Jack Urban, a senior security researcher at Lookout, said that one problem was with the way pre-Honeycomb versions of Android implemented a component called WebView, which loads web pages within an app.
“Prior to Android API 11 (Honeycomb), WebViews do not have a way to validate the authenticity of the secure connection using SSL client certificates, making a man in the middle attack possible without the user or the app knowing it,” Urban said.
“In later Android versions, developers can work around this issue by implementing their own client certificate validation techniques when using WebViews,” Urban added. That, of course, requires developers to understand how client certificate validation works.
And as for end-users? Wang recommended not using the apps’ sign-in features until the developers have fixed the problems. And Urban advised people to be careful when connecting to the Internet via networks they don’t already trust.
Here’s the list of problem apps found by AppBugs. For more details, see AppBug’s page on social plugin vulnerabilities in mobile apps, which includes videos demonstrating each vulnerability.
- Astro File Manager with Cloud
- Windows Live Hotmail Push Mail
- Brother iPrint & Scan
- Software Data Cable
- FriendCaster Chat
- PrintHand Mobile Print
- Phone for Google Voice & GTalk
- FoxIt MobilePDF (Editor’s note: Foxit fixed the vulnerability in this app after AppBugs contacted the company.)