94 pc Android Apps Are Vulnerable: Study

by CXOtoday News Desk    Aug 19, 2014


Over 94 percent of popular Android applications are potentially vulnerable, according to a new research by Alto Networks highlights security risks in the internal storage used by applications on devices running on Google’s Android operating system.

The research reveals Android internal storage is a protected area that Android-based applications use to store private information, including usernames and passwords. However, an attacker may be able to whip sensitive information from most of the applications running on an Android device. This can be done by using the Android Debug Bridge (ADB) backup/restore function. In addition, most of the security enhancements added by Google to prevent this type of attack can be bypassed.

According to the study, those using a device running version 4.0 of Android are at a greater risk as about 85 percent of such Android systems in use today are potentially vulnerable

“For using ADB, an attacker would need physical access to the device, whether scrounging or pilfering information from the user; an attacker could also take control of a system to which the device is connected with the help of an USB,” says the report adding that over 94 percent of popular Android applications, including pre-installed email and browser applications, use the backup system, which implies that users are vulnerable

Going forward, more Android applications will store user passwords in plain text in Android Internal Storage, meaning almost all popular e-mail clients, FTP clients and SSH client applications are vulnerable. According to Ryan Olson, intelligence director, Unit 42, Palo Alto Networks, “Google has set the default for applications to allow back-ups; application developers are responsible for disabling the feature or otherwise restricting backups; however, the high percentage of applications that have not disabled or restricted backups suggests many developers are unaware of the risks.”

The researchers recommend Android users disable USB debugging when not needed, and application developers to protect them by restricting backups from including sensitive information using a Backup Agent. “We encourage users to be aware and Google to take a closer look at this storage weakness in Android. Given Android’s place as the world’s most popular mobile operating system, millions of users are potentially at risk,” summed up Olson.