Multiple Android applications fail to properly validate SSL certificates

Overview

Multiple Android applications fail to properly validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack.

Description

When communicating via HTTPS, an application should validate the SSL chain to be sure that the certificate produced by the site was provided by a trusted root certificate authority (CA). Multiple Android applications fail to properly validate SSL certificates. Additional information can be found in the CERT Oracle Secure Coding Standard for Java:

DRD19-J. Properly verify server certificate on SSL/TLS

Details of the methodology used to test applications with CERT Tapioca are described in the CERT/CC blog.

In March 2014 the Federal Trade Commission settled charges with two vendors (Fandango and Credit Karma) for failing to securely transmit sensitive personal information. An FTC press release states that “Consumers are increasingly using mobile apps for sensitive transactions. Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption.”

---

Impact

An attacker on the same network as the Android device may be able to view or modify network traffic that should have been protected by HTTPS. The impact varies based on what the application is doing. Possible outcomes include credential stealing or arbitrary code execution.

---

Solution

Apply an update

Please refer to the Android application SSL spreadsheet for details about affected applications and the availability of fixes. If you are unable to view this document, a static copy of the spreadsheet is available here: [Android apps that fail to validate SSL.xlsx](<https://kb.cert.org/static-bigvince-prod-kb-eb/vincepub/files/582497_attach_Android apps that fail to validate SSL.xlsx> “Android apps that fail to validate SSL.xlsx” )

If fixes are not available for your application, please consider the following workarounds:

---

Do not use affected applications

Many Android applications are unnecessary in that the content they provide access to is available via other means. For example, while a bank may provide an Android application for accessing its resources, those same resources are usually available by using a web browser. By using a web browser to access those resources, you can help avoid situations where SSL may not be validated.

Avoid untrusted networks

Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.

---

Vendor Information

Due to the number of affected applications, tested applications, versions, CVE identifiers, CERT VU# identifiers and other information will be available in the spreadsheet Android App SSL Failures. This spreadsheet will be kept up to date with newly-discovered vulnerable applications, fixed versions, manual testing notes, and other information.

The vendors listed below are simply vendors that operate Android application stores. We notified these vendors to mention the testing that we are performing and also suggest that similar testing could be used at the point where an application is tested for suitability for inclusion in their respective application stores.

---

582497

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Amazon Unknown

Notified: August 06, 2014 Updated: August 06, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fortinet, Inc. Unknown

Notified: January 09, 2014 Updated: January 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: August 05, 2014 Updated: August 05, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PNC Bank Unknown

Notified: October 01, 2014 Updated: October 01, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Windstream Unknown

Notified: January 09, 2014 Updated: January 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CVSS Metrics

Group	Score	Vector
Base	7.8	AV:A/AC:L/Au:N/C:C/I:C/A:N
Temporal	7	E:F/RL:W/RC:C
Environmental	7.5	CDP:ND/TD:H/CR:H/IR:H/AR:ND

References

• <https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing&gt;
• <http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html&gt;
• <http://developer.android.com/training/articles/security-ssl.html&gt;
• <http://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers&gt;
• <http://android-ssl.org/&gt;
• <http://android-ssl.org/files/p49.pdf&gt;
• <http://android-ssl.org/files/p50-fahl.pdf&gt;
• <http://cwe.mitre.org/data/definitions/295.html&gt;
• <http://cwe.mitre.org/data/definitions/296.html&gt;

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC. Additional reporters of the concept of Android apps that fail to validate SSL certificates include Tony Trummer, Tushar Dalvi, and Kuo Chiang. Other individuals that publicly reported this issue include: Sascha Fahl, Marian Harbach,Thomas Muders, Matthew Smith, Lars Baumgärtner, and Bernd Freisleben.

This document was written by Will Dormann.

Other Information

CVE IDs:	None
Date Public:	2012-10-16 Date First Published: