Security is obviously one of the biggest concerns that users have when downloading and using apps on smartphones and tablets, and it appears that they are correct to be concerned if the latest reports are anything to go by. New research carried out by the Leibniz University of Hannover and the Philipps University of Marburg suggests that a number of popular Android apps that are freely available on the Play Store have less than adequate protection mechanisms in place to protect data that has been supplied by the user and has passed through the app.
The researchers have shown that important and private information such as e-mail addresses, passwords, banking information and social network login credentials could all be vulnerable when certain apps are downloaded and used. A large number of free-to-download apps were tested as part of the security-centric trials, all of which are available on the Play Store. A number of the applications left a trail of sensitive data when being used between a number of different Android devices running Ice Cream Sandwich.
Although the private information is potentially left available for prying eyes by the apps themselves, it did require that the scientists use a number of existing exploits to bypass security measures that are put in place by the app. The initial tests began with those involved choosing over 13,500 free-of-charge apps, which were then investigated and put through static analysis tests. That initial number was then whittled down to 100 apps that were manually audited with the intention of determining whether or not SSL on the device could be bypassed.
Although the researchers have chosen not to name anyone as part of their official report, but they do confirm that the apps that formed part of the tests have been downloaded a significant number of times by Android users, in some cases receiving up to 185 million downloads. The amount and type of information that has been extracted from the vulnerable apps should invoke a lot of concern with most Android users:
We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked.
Google is yet to provide any official retort to the research, and it is unknown whether or not any of the tested apps were developed by the Big G themselves. It is also being said that there are steps that Google could take in an attempt to make sure that developers are following security protocols more stringently in order to protect the data of their users.