US CERT has identified about 3,400 Android apps to date that do not properly validate SSL certificates, leaving them open to MITM attacks. Possible outcomes are credential stealing or arbitrary code generation. Of these about 250 apps are very popular, i.e. over 1 million downloads, and include apps such as Galaxy S5 Live Wallpaper, Slide Show Creator, Windows Live Hotmail Push, FriendCaster Chat, DISH Anywhere, Kim Kardashian, among many others. Appears that CERT will announce many more apps that fail SSL validation over the following months.
Details are here: *http://www.kb.cert.org/vuls/id/582497* <http://www.kb.cert.org/vuls/id/582497> What is the mobile industry doing about this? To check your apps, you can download the free Belarc Security Advisor from Google Playstore. Currently covers about 900 of the vulnerable apps and updates will include future vulnerable apps. Details are here: *http://m.belarc.com/sa.html* <http://m.belarc.com/sa.html> Regards, Sumin -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
