Some Android apps found to have serious SSL vulnerabilities

Researchers from two German universities have found that a large number of Android applications available today in the Google Play store have vulnerabilities related to SSL usage which may open the door for malicious man-in-the-middle attacks. You can find several blog posts explaining the vulnerabilities including one from Network World and the H Online.

The researchers explain several of the mis-use cases that can arise in these Android apps in their paper, linked below. Listed from the paper, these include:

“Trusting all Certificates. The TrustManager interface can be implemented to trust all certificates, irrespective of who signed them or even for what subject they were issued.

Allowing all Hostnames. It is possible to forgo checks of whether the certificate was issued for this address or not, i. e., when accessing the server, a certificate issued for is accepted.

Trusting many CAs. This is not necessarily a flaw, but Android 4.0 trusts 134 CA root certificates per default. Due to the attacks on several CAs in 2011, the problem of the large number of trusted CAs is actively debated.

Mixed-Mode/No SSL. App developers are free to mix secure and insecure connections in the same app or not use SSL at all. This is not directly an SSL issue, but it is relevant to mention that there are no outward signs and no possibility for a common app user to check whether a secure connection is being used. This opens the door for attacks such as SSL stripping or tools like Firesheep.”

To read the full paper, take a look here. The wolfSSL embedded SSL library runs on Android and can be used in Android NDK-based applications for SSL support. If you need guidance on how to correctly use wolfSSL in your project or application, email us at for more information.

Research Paper: Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security
Network World: Some Android apps have serious SSL vulnerabilities, researchers say