Most Popular Apps in Google Play Store Use Weak Cryptography for Sensitive Data

[steven36]

Software relies on insecure data protection properties

Free Android apps in Google’s marketplace with more than one million downloads have been found to rely on vulnerable cryptographic schemes for protecting the sensitive information they store.

An analysis on the most popular 9,339 free apps available in the official Android store reveals that about 62% of them (5,147) fail to properly secure confidential data and could allow an attacker to steal the protected info by exploiting different weak points.

Stateless encryption algorithms are most prevalent

Researchers at FireEye conducted the test on the sample that met the popularity criteria mentioned above as of November 22, 2014.

The security experts studied vulnerabilities related to the lack of high entropy, stateless encryption algorithms and password-based encryption.

The largest part of the products found cryptographically insecure used stateless algorithms for encryption, which means that one input has the exact same output every time it is encrypted; an attacker could build use a reverse dictionary to find the original string, without the need to know the keys used for encryption.

In the case of low entropy related weaknesses, FireEye identified 1,762 apps that used static key for encrypting the information, which could be extracted in order to reverse the process.

918 products were found to rely their data protection mechanism on password-based encryption; 409 of them used static salts (random sequence of characters added to the passphrase to make it more difficult to guess). If the generated salt is a constant value, then the algorithm is weak and the information can be extracted.

Vulnerable encryption algorithms

“4972 apps use Cipher instances. Of these 2913 (58%) use the stateless ECB transformations and are hence vulnerable to Chosen-Plaintext-Attacks,” FireEye researchers say in a blog post.

Also relating to encryption algorithm weaknesses, they say 3,895 employing stateful CBC transformations 931 of them “use static initial vectors that can be easily extracted from the app by decompiling the app bytecode. Given that a static initial vector does not change across sessions, the CBC algorithm instance no longer possesses the IND-CPA property and thus becomes effectively stateless.”

By integrating strong cryptographical principles for securing important information, the resource and the time needed by a threat actor to break them render an attack not worth carrying out.

Source