From Ars Technica:
Enlarge Sam Bowne
More than seven months after being flagged as vulnerable, more than a dozen Android apps collectively downloaded at least 350 million times still contain fatal HTTPS flaws that cause them to leak passwords, phone numbers, and other highly sensitive user data, student researchers at City College of San Francisco found.
The vulnerable apps include OKCupid Dating, Dish Anywhere, ASTRO File Manager with Cloud, CityShop – for Craigslist, and PicsArt Photo Studio, which collectively have commanded from 170 million to 670 million downloads, according to official Google Play figures. Most of the titles have been updated regularly, but they continue to contain a game-over vulnerability that fails to detect fraudulent transport layer security (TLS) certificates, according to a blog post published Sunday by Sam Bowne, a security researcher who teaches a class on the ethical hacking of mobile devices at the City College of San Francisco. They likely are a tiny fraction of the Android apps that suffer the same flaw.
All 15 of the apps called out by Bowne’s class were first flagged as unsafe in a September blog post from the CERT Division of the Software Engineering Institute. In the September post, researcher Will Dormann said CERT was contacting developers of all 23,668 apps found to be vulnerable. Bowne’s class didn’t have the resources to check all of the apps on the list, so it’s likely many more also remain unfixed. Bowne assigned this class project after independently discovering that all text transmitted by Snap Secure could be decrypted by anyone presenting the app with a fraudulent TLS certificate.
To test the apps, Bowne’s students used the freely available Burp software suite and an invalid TLS certificate to attempt a man-in-the-middle attack. Vulnerable apps were those that trusted the certificate and used the private key…