A report by security experts indicates that as many as 185 million Android users around the world may be vulnerable to man-in-the-middle attacks. This means that even as the communications protocol is secure in itself, messages can be intercepted during data exchanges through spoofing of security certificates, and malicious hackers or software can tamper with communications.
Computer scientists from Germany’s Leibniz University of Hannover and Philpps University of Marburg have attempted such attacks, and say they could retrieve sensitive information from an Android smartphone.
We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.
The researchers say other information is also vulnerable, and this can include emails and instant messages.
What’s troubling is that the study even includes one anti-virus app, which was found to have accepted invalid SSL certificates when updating its malware database. This can easily be exploited by a malicious hacker, who can feed his own malicious signatures into the app.
The study has also found a generic online banking application to be vulnerable to man-in-the-middle attacks, as well as a popular cross-platform instant messaging application.
As for solutions, the researchers recommended beefing up security, such as by using security certificate pinning. Thereis also a recommendation for Google to provide warnings when a connection is not encrypted.