If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose user passwords
Remember kids, Linux is _secure_ and Android is the best evidence of that:
http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ Researchers have unearthed dozens of Android apps ---- in the official Google Play store ---- that expose user passwords because the apps fail to properly implement HTTPS encryption during logins or don't use it at all. The roster of faulty apps have more than 200 million collective downloads from Google Play and have remained vulnerable even after developers were alerted to the defects. The apps include the official titles from the National Basketball Association, the Match.com dating service, the Safeway supermarket chain, and the PizzaHut restaurant chain. They were uncovered by AppBugs, a developer of a free Android app that spots dangerous apps installed on users' handsets. AppBugs CEO Rui Wang told Ars that the Match.com app uses unencrypted hypertext transfer text protocol when sending user passwords, making it trivial for people in a position to monitor the traffic—such as someone on the same Wi-Fi network—to read the credentials. Other apps, such as NBA Game Time and those from Safeway and PizzaHut use HTTPS encryption but don't implement it correctly. As a result, a man-in-the-middle attacker can use a self-signed or otherwise fraudulent digital certificate to read the login data. "As shown in the video demo, when the victim user logs into his League Pass account in the app, a third party machine will be able to grab the password and username," Wang wrote in an e-mail. "The attacker could be some stranger who monitors the traffic of a public Wi-Fi or a compromised router on the Internet which logs the traffic quietly." NBA GameTime App. Wang said the NBA app requires an NBA League Pass Account, which according to this official NBA video costs $199. He said his company reported the vulnerability to the app developer in late February but never got a response. The developers of the Match.com, Safeway, and PizzaHut apps, as well as more than 50 other apps, similarly failed to respond. In all, Wang said he discovered 100 apps that didn't HTTPS-protect login credentials, only 28 of which have since been fixed. ANDROID APPS STILL SUFFER GAME-OVER HTTPS DEFECTS 7 MONTHS LATER Apps with 350 million downloads fail to detect simple man-in-the-middle attack. Although it wouldn't be hard for Google to detect such shortcomings in the apps it makes available on its own servers, there's no indication that the company does that. The results come a couple months after student researchers at City College of San Francisco found Android apps collectively downloaded at least 350 million times suffered similarly fatal HTTPS flaws. They also come after a critical bug in a popular code library for iOS developers caused fatal HTTPS failures in an estimated 1,500 apps for iPhones and iPads. The results make it clear that Android users, and to some extent, iOS users too, are on their own when it comes to ensuring the safety of the apps they install on their devices. -- Slimer Proud "wintroll" Encrypt. |
Ads |
#2
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
Slimer wrote:
Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ Researchers have unearthed dozens of Android apps ---- in the official Google Play store ---- that expose user passwords because the apps fail to properly implement HTTPS encryption during logins or don't use it at all. The roster of faulty apps have more than 200 million collective downloads from Google Play and have remained vulnerable even after developers were alerted to the defects. The apps include the official titles from the National Basketball Association, the Match.com dating service, the Safeway supermarket chain, and the PizzaHut restaurant chain. They were uncovered by AppBugs, a developer of a free Android app that spots dangerous apps installed on users' handsets. AppBugs CEO Rui Wang told Ars that the Match.com app uses unencrypted hypertext transfer text protocol when sending user passwords, making it trivial for people in a position to monitor the traffic—such as someone on the same Wi-Fi network—to read the credentials. Other apps, such as NBA Game Time and those from Safeway and PizzaHut use HTTPS encryption but don't implement it correctly. As a result, a man-in-the-middle attacker can use a self-signed or otherwise fraudulent digital certificate to read the login data. "As shown in the video demo, when the victim user logs into his League Pass account in the app, a third party machine will be able to grab the password and username," Wang wrote in an e-mail. "The attacker could be some stranger who monitors the traffic of a public Wi-Fi or a compromised router on the Internet which logs the traffic quietly." NBA GameTime App. Wang said the NBA app requires an NBA League Pass Account, which according to this official NBA video costs $199. He said his company reported the vulnerability to the app developer in late February but never got a response. The developers of the Match.com, Safeway, and PizzaHut apps, as well as more than 50 other apps, similarly failed to respond. In all, Wang said he discovered 100 apps that didn't HTTPS-protect login credentials, only 28 of which have since been fixed. ANDROID APPS STILL SUFFER GAME-OVER HTTPS DEFECTS 7 MONTHS LATER Apps with 350 million downloads fail to detect simple man-in-the-middle attack. Although it wouldn't be hard for Google to detect such shortcomings in the apps it makes available on its own servers, there's no indication that the company does that. The results come a couple months after student researchers at City College of San Francisco found Android apps collectively downloaded at least 350 million times suffered similarly fatal HTTPS flaws. They also come after a critical bug in a popular code library for iOS developers caused fatal HTTPS failures in an estimated 1,500 apps for iPhones and iPads. The results make it clear that Android users, and to some extent, iOS users too, are on their own when it comes to ensuring the safety of the apps they install on their devices. I must be stupid or something but Does Windows 8 have anything to do with android.Android is google and that is less secure than windows.Why don't you go peddle your BS someplace else. |
#3
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
On 2015-06-20 4:39 PM, Dino wrote:
Slimer wrote: Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ Researchers have unearthed dozens of Android apps ---- in the official Google Play store ---- that expose user passwords because the apps fail to properly implement HTTPS encryption during logins or don't use it at all. The roster of faulty apps have more than 200 million collective downloads from Google Play and have remained vulnerable even after developers were alerted to the defects. The apps include the official titles from the National Basketball Association, the Match.com dating service, the Safeway supermarket chain, and the PizzaHut restaurant chain. They were uncovered by AppBugs, a developer of a free Android app that spots dangerous apps installed on users' handsets. AppBugs CEO Rui Wang told Ars that the Match.com app uses unencrypted hypertext transfer text protocol when sending user passwords, making it trivial for people in a position to monitor the traffic—such as someone on the same Wi-Fi network—to read the credentials. Other apps, such as NBA Game Time and those from Safeway and PizzaHut use HTTPS encryption but don't implement it correctly. As a result, a man-in-the-middle attacker can use a self-signed or otherwise fraudulent digital certificate to read the login data. "As shown in the video demo, when the victim user logs into his League Pass account in the app, a third party machine will be able to grab the password and username," Wang wrote in an e-mail. "The attacker could be some stranger who monitors the traffic of a public Wi-Fi or a compromised router on the Internet which logs the traffic quietly." NBA GameTime App. Wang said the NBA app requires an NBA League Pass Account, which according to this official NBA video costs $199. He said his company reported the vulnerability to the app developer in late February but never got a response. The developers of the Match.com, Safeway, and PizzaHut apps, as well as more than 50 other apps, similarly failed to respond. In all, Wang said he discovered 100 apps that didn't HTTPS-protect login credentials, only 28 of which have since been fixed. ANDROID APPS STILL SUFFER GAME-OVER HTTPS DEFECTS 7 MONTHS LATER Apps with 350 million downloads fail to detect simple man-in-the-middle attack. Although it wouldn't be hard for Google to detect such shortcomings in the apps it makes available on its own servers, there's no indication that the company does that. The results come a couple months after student researchers at City College of San Francisco found Android apps collectively downloaded at least 350 million times suffered similarly fatal HTTPS flaws. They also come after a critical bug in a popular code library for iOS developers caused fatal HTTPS failures in an estimated 1,500 apps for iPhones and iPads. The results make it clear that Android users, and to some extent, iOS users too, are on their own when it comes to ensuring the safety of the apps they install on their devices. I must be stupid or something but Does Windows 8 have anything to do with android.Android is google and that is less secure than windows.Why don't you go peddle your BS someplace else. I actually posted it to the wrong group and I apologize. -- Slimer Proud "wintroll" Encrypt. |
#4
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose user passwords
Android is Linux.
"Dino" escreveu na mensagem ... I must be stupid or something but Does Windows 8 have anything to do with android.Android is google and that is less secure than windows.Why don't you go peddle your BS someplace else. |
#5
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
Bob Mcwire wrote:
Android is Linux. "Dino" escreveu na mensagem ... I must be stupid or something but Does Windows 8 have anything to do with android.Android is google and that is less secure than windows.Why don't you go peddle your BS someplace else. Linux is only the kernel.What people add on to it makes a distro or app. |
#6
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose user passwords
Wish I could argue with conviction about Linux, just heard Android is based
on Linux. "Dino" escreveu na mensagem ... Bob Mcwire wrote: Android is Linux. "Dino" escreveu na mensagem ... I must be stupid or something but Does Windows 8 have anything to do with android.Android is google and that is less secure than windows.Why don't you go peddle your BS someplace else. Linux is only the kernel.What people add on to it makes a distro or app. |
#7
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
On 06/20/2015 09:12 PM, basic user wrote:
Wish I could argue with conviction about Linux, just heard Android is based on Linux. "Dino" escreveu na mensagem ... Bob Mcwire wrote: Android is Linux. "Dino" escreveu na mensagem ... I must be stupid or something but Does Windows 8 have anything to do with android.Android is google and that is less secure than windows.Why don't you go peddle your BS someplace else. Linux is only the kernel.What people add on to it makes a distro or app. You can't argue over Linux because true users are like Me and I don't care what anybody says I use it and like it.I usually triple boot and if only windows can do what I want I use it also.I don't know which one is better as long as it gets my stuff done. |
#8
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose user passwords
You should care what people say, especially if those people have something to teach you. I don't know either which system is better just because I never felt the need to use Linux. On 06/20/2015 09:12 PM, basic user wrote: Wish I could argue with conviction about Linux, just heard Android is based on Linux. Bob Mcwire wrote: Android is Linux. "Dino" escreveu na mensagem ... I must be stupid or something but Does Windows 8 have anything to do with android.Android is google and that is less secure than windows.Why don't you go peddle your BS someplace else. "Dino" escreveu na mensagem ... Linux is only the kernel.What people add on to it makes a distro or app. "Dino" escreveu na mensagem ... You can't argue over Linux because true users are like Me and I don't care what anybody says I use it and like it.I usually triple boot and if only windows can do what I want I use it also.I don't know which one is better as long as it gets my stuff done. |
#9
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose user passwords
Slimer wrote:
Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ snipped the plagarized article Do you often shoot yourself in your own foot? Android OS is Linux. So Linux (the variant of which you don't bother to mention) is secure but Linux (Android OS) is not secure. Uh huh. Looks like you wanted to slam Windows but hit the wrong target. My reading of the article says the *apps* are ****ed up by *them* not using HTTPS, not there is a problem in the Linux-based Android OS. |
#10
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote: Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ snipped the plagarized article Do you often shoot yourself in your own foot? Android OS is Linux. So Linux (the variant of which you don't bother to mention) is secure but Linux (Android OS) is not secure. Uh huh. Looks like you wanted to slam Windows but hit the wrong target. My reading of the article says the *apps* are ****ed up by *them* not using HTTPS, not there is a problem in the Linux-based Android OS. The point here is that Google Play, the store from which Android users get their software, is dishing out insecure software which allows for their passwords to be stolen. People like to say that Windows is a magnet for malware, but here is evidence that Android is the mobile equivalent of a malware magnet. You're right, this doesn't point to a problem with the Linux kernel, but it DOES point to a problem with the Android ecosystem which is continuously showing people that it has no interest in providing a stable, secure and safe environment for users. -- Slimer Proud "wintroll" Encrypt. |
#11
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose user passwords
Slimer wrote:
On 2015-06-20 10:49 PM, VanguardLH wrote: Slimer wrote: Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ snipped the plagarized article Do you often shoot yourself in your own foot? Android OS is Linux. So Linux (the variant of which you don't bother to mention) is secure but Linux (Android OS) is not secure. Uh huh. Looks like you wanted to slam Windows but hit the wrong target. My reading of the article says the *apps* are ****ed up by *them* not using HTTPS, not there is a problem in the Linux-based Android OS. The point here is that Google Play, the store from which Android users get their software, is dishing out insecure software which allows for their passwords to be stolen. People like to say that Windows is a magnet for malware, but here is evidence that Android is the mobile equivalent of a malware magnet. You're right, this doesn't point to a problem with the Linux kernel, but it DOES point to a problem with the Android ecosystem which is continuously showing people that it has no interest in providing a stable, secure and safe environment for users. So what's new? The Mozilla plug-ins site is dishing out tons of add-ons that are crap code, spyware (sometimes announced, sometimes not), conflicts with other add-ons (to reduce stability), have been abandoned, or have severe problems. Mozilla claims to have a review process but it doesn't seem much effective to ensure a source of stable, non- conflicting, and supported plug-ins. Sourceforge.net is rifled with abandonware, works in progress (that are distributed as finished products but are not), and other crapware. Every download site (Cnet, Softpedia, etc) has crapware, spyware, adware, and badly coded programs. Microsoft pushes updates that cause severe problem, even to the point of prevent the bootup of Windows. The drivers pushed by Windows Update may not even be for your hardware or the correct version of it. The Microsoft Store carries programs that obviously Microsoft didn't write. You can get Far Cry games through the Microsoft store and they have bugs that can not only crash the game but halt the OS even after applying patches. I doubt that everything at the Apple Store is "clean". Even with review process, if present, asking a software distribution center to ensure all software from their site that is written by someone else is like asking your ISP to ensure that all web traffic to your host is safe, not in a category you find offensive, and is always legal. That's not really their job. |
#12
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose user passwords
On Sun, 21 Jun 2015 00:53:00 -0500, VanguardLH wrote:
Even with review process, if present, asking a software distribution center to ensure[*] all software from their site that is written by someone else is like asking your ISP to ensure that all web traffic to your host is safe, not in a category you find offensive, and is always legal. That's not really their job. * He means 'validate'. Maybe it should be? |
#13
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote: On 2015-06-20 10:49 PM, VanguardLH wrote: Slimer wrote: Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ snipped the plagarized article Do you often shoot yourself in your own foot? Android OS is Linux. So Linux (the variant of which you don't bother to mention) is secure but Linux (Android OS) is not secure. Uh huh. Looks like you wanted to slam Windows but hit the wrong target. My reading of the article says the *apps* are ****ed up by *them* not using HTTPS, not there is a problem in the Linux-based Android OS. The point here is that Google Play, the store from which Android users get their software, is dishing out insecure software which allows for their passwords to be stolen. People like to say that Windows is a magnet for malware, but here is evidence that Android is the mobile equivalent of a malware magnet. You're right, this doesn't point to a problem with the Linux kernel, but it DOES point to a problem with the Android ecosystem which is continuously showing people that it has no interest in providing a stable, secure and safe environment for users. So what's new? The Mozilla plug-ins site is dishing out tons of add-ons that are crap code, spyware (sometimes announced, sometimes not), conflicts with other add-ons (to reduce stability), have been abandoned, or have severe problems. Mozilla claims to have a review process but it doesn't seem much effective to ensure a source of stable, non- conflicting, and supported plug-ins. Sourceforge.net is rifled with abandonware, works in progress (that are distributed as finished products but are not), and other crapware. Every download site (Cnet, Softpedia, etc) has crapware, spyware, adware, and badly coded programs. Microsoft pushes updates that cause severe problem, even to the point of prevent the bootup of Windows. The drivers pushed by Windows Update may not even be for your hardware or the correct version of it. The Microsoft Store carries programs that obviously Microsoft didn't write. You can get Far Cry games through the Microsoft store and they have bugs that can not only crash the game but halt the OS even after applying patches. I doubt that everything at the Apple Store is "clean". Even with review process, if present, asking a software distribution center to ensure all software from their site that is written by someone else is like asking your ISP to ensure that all web traffic to your host is safe, not in a category you find offensive, and is always legal. That's not really their job. Actually yes, it IS their bug to make sure that any software being made available in the Store isn't malware. It is ridiculous for you to claim otherwise. It's known as quality control, something sorely lacking in American enterprises nowadays. -- Slimer Proud "wintroll" Encrypt. |
#14
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
On Sun, 21 Jun 2015 10:12:13 -0400, Slimer wrote:
On 2015-06-21 1:53 AM, VanguardLH wrote: Slimer wrote: On 2015-06-20 10:49 PM, VanguardLH wrote: Slimer wrote: Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ snipped the plagarized article Do you often shoot yourself in your own foot? Android OS is Linux. So Linux (the variant of which you don't bother to mention) is secure but Linux (Android OS) is not secure. Uh huh. Looks like you wanted to slam Windows but hit the wrong target. My reading of the article says the *apps* are ****ed up by *them* not using HTTPS, not there is a problem in the Linux-based Android OS. The point here is that Google Play, the store from which Android users get their software, is dishing out insecure software which allows for their passwords to be stolen. People like to say that Windows is a magnet for malware, but here is evidence that Android is the mobile equivalent of a malware magnet. You're right, this doesn't point to a problem with the Linux kernel, but it DOES point to a problem with the Android ecosystem which is continuously showing people that it has no interest in providing a stable, secure and safe environment for users. So what's new? The Mozilla plug-ins site is dishing out tons of add-ons that are crap code, spyware (sometimes announced, sometimes not), conflicts with other add-ons (to reduce stability), have been abandoned, or have severe problems. Mozilla claims to have a review process but it doesn't seem much effective to ensure a source of stable, non- conflicting, and supported plug-ins. Sourceforge.net is rifled with abandonware, works in progress (that are distributed as finished products but are not), and other crapware. Every download site (Cnet, Softpedia, etc) has crapware, spyware, adware, and badly coded programs. Microsoft pushes updates that cause severe problem, even to the point of prevent the bootup of Windows. The drivers pushed by Windows Update may not even be for your hardware or the correct version of it. The Microsoft Store carries programs that obviously Microsoft didn't write. You can get Far Cry games through the Microsoft store and they have bugs that can not only crash the game but halt the OS even after applying patches. I doubt that everything at the Apple Store is "clean". Even with review process, if present, asking a software distribution center to ensure all software from their site that is written by someone else is like asking your ISP to ensure that all web traffic to your host is safe, not in a category you find offensive, and is always legal. That's not really their job. Actually yes, it IS their bug to make sure that any software being made available in the Store isn't malware. It is ridiculous for you to claim otherwise. It's known as quality control, something sorely lacking in American enterprises nowadays. But your original post was meant to take a crack at Linux, now you are trying to backtrack. Also that of which you complain is not malware, it's poorly written software. |
#15
|
|||
|
|||
Game-over HTTPS defects in dozens of Android apps expose userpasswords
On 2015-06-21 11:43 AM, dave wrote:
On Sun, 21 Jun 2015 10:12:13 -0400, Slimer wrote: On 2015-06-21 1:53 AM, VanguardLH wrote: Slimer wrote: On 2015-06-20 10:49 PM, VanguardLH wrote: Slimer wrote: Remember kids, Linux is _secure_ and Android is the best evidence of that: http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/ snipped the plagarized article Do you often shoot yourself in your own foot? Android OS is Linux. So Linux (the variant of which you don't bother to mention) is secure but Linux (Android OS) is not secure. Uh huh. Looks like you wanted to slam Windows but hit the wrong target. My reading of the article says the *apps* are ****ed up by *them* not using HTTPS, not there is a problem in the Linux-based Android OS. The point here is that Google Play, the store from which Android users get their software, is dishing out insecure software which allows for their passwords to be stolen. People like to say that Windows is a magnet for malware, but here is evidence that Android is the mobile equivalent of a malware magnet. You're right, this doesn't point to a problem with the Linux kernel, but it DOES point to a problem with the Android ecosystem which is continuously showing people that it has no interest in providing a stable, secure and safe environment for users. So what's new? The Mozilla plug-ins site is dishing out tons of add-ons that are crap code, spyware (sometimes announced, sometimes not), conflicts with other add-ons (to reduce stability), have been abandoned, or have severe problems. Mozilla claims to have a review process but it doesn't seem much effective to ensure a source of stable, non- conflicting, and supported plug-ins. Sourceforge.net is rifled with abandonware, works in progress (that are distributed as finished products but are not), and other crapware. Every download site (Cnet, Softpedia, etc) has crapware, spyware, adware, and badly coded programs. Microsoft pushes updates that cause severe problem, even to the point of prevent the bootup of Windows. The drivers pushed by Windows Update may not even be for your hardware or the correct version of it. The Microsoft Store carries programs that obviously Microsoft didn't write. You can get Far Cry games through the Microsoft store and they have bugs that can not only crash the game but halt the OS even after applying patches. I doubt that everything at the Apple Store is "clean". Even with review process, if present, asking a software distribution center to ensure all software from their site that is written by someone else is like asking your ISP to ensure that all web traffic to your host is safe, not in a category you find offensive, and is always legal. That's not really their job. Actually yes, it IS their bug to make sure that any software being made available in the Store isn't malware. It is ridiculous for you to claim otherwise. It's known as quality control, something sorely lacking in American enterprises nowadays. But your original post was meant to take a crack at Linux, now you are trying to backtrack. Also that of which you complain is not malware, it's poorly written software. The original post was meant for comp.os.linux.advocacy where the Linux advocates tout Android's success as evidence that Linux won. They deny the fact that Linux-based Android is filled with malware and that Linux code was responsible for widespread problems like HeartBleed. That article shows that yes, Linux-based Android is indeed filled with bad code in addition to its malware problem. I'm not backtracking anything. -- Slimer Proud "wintroll" Encrypt. |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|