Report: Passwords, Email Contents Of Millions Of Android Users At Risk

A new academic paper indicates that improper SSL protections on popular Android apps may have led to hackers obtaining millions of users' passwords, email contents, and bank account numbers.

German researchers have discovered a serious Android security lapse that is possibly exposing the passwords, bank account information, and email contents of as many as 185 million users. According to a joint team at the University of Marburg and Leibniz University of Hannover, 41 applications available via Google's Play Market have serious security flaws that regularly leak sensitive data.

Inadequate SSL and TLS protections on Android smartphones running Ice Cream Sandwich were responsible for the security lapses. “We could gather bank account information, payment credentials for PayPal, American Express and others […] Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted,” the researchers wrote.

The report did not name the 41 applications with the security flaws and it is not known if the application developers were informed of the serious user privacy lapses. All personal information obtained by the researchers could easily be replicated by amateur hackers using a variety of well-known exploits.

Add New Comment

9 Comments

  • Guest

    If this is about Android, why is an image of an Ubuntu desktop shown above? Don't confuse the two, FastCompany.

  • Theylooklikeidiots

    It's not a desktop, Ubuntu is running off the Android phone, but yeah still, it makes them look like they have no idea what they're talking about.

  • michael sinor

    Didn't they accomplish all of it with staged MITM attacks? I don't really see the point of the research if it can't be reproduced in a common way. Further this article doesn't discuss any of this, making it sound like everyone is in imminent danger. MITM is a problem for every system I was aware of that doesn't go to extra steps to prevent Man in the middle specifically. 

    Maybe your talking about something else?

  • Guest

    > Millions of Android users at risk.

    Thank God it's only Android apps.  And 0 Blackberry, iPhone, and PC apps.

    Oh, wait.
     

  • Robert

    One part of this is really really stupid:
    Email.  Email for the large part is never encrypted. It's usually plain text transmitted.  Always has been.  There are desktop applications for encrypting mail, but since that requires the recipient to have an email client that can decrypt it, few people use that.

    This is not new to androids, or anything else. It is just the way it has always been.

  • Guest

    Web-based email access CAN and DOES automatically encrypt/decrypt email through https use.

    For me?  Nothing I have in email is that private or that personal.  I couldn't care less if you read about my sister's new car, in my email account.  (Nor would she care.)