Apps with 350 million downloads fail to detect simple man-in-the-middle attack.



From Arstechnica:

More than seven months after being flagged as vulnerable, more than a dozen Android apps collectively downloaded at least 350 million times still contain fatal HTTPS flaws that cause them to leak passwords, phone numbers, and other highly sensitive user data, student researchers at City College of San Francisco found.

The vulnerable apps include OKCupid Dating, Dish Anywhere, ASTRO File Manager with Cloud, CityShop – for Craigslist, and PicsArt Photo Studio, which collectively have commanded from 170 million to 670 million downloads, according to official Google Play figures. Most of the titles have been updated regularly, but they continue to contain a game-over vulnerability that fails to detect fraudulent transport layer security (TLS) certificates, according to a blog post published Sunday by Sam Bowne, a security researcher who teaches a class on the ethical hacking of mobile devices at the City College of San Francisco. They likely are a tiny fraction of the Android apps that suffer the same flaw.

  Android apps still suffer game-over HTTPS defects 7 months later