Game-over HTTPS defects in dozens of Android apps expose user passwords

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/

Researchers have unearthed dozens of Android apps ---- in the official
Google Play store ---- that expose user passwords because the apps fail
to properly implement HTTPS encryption during logins or don't use it at all.

The roster of faulty apps have more than 200 million collective
downloads from Google Play and have remained vulnerable even after
developers were alerted to the defects. The apps include the official
titles from the National Basketball Association, the Match.com dating
service, the Safeway supermarket chain, and the PizzaHut restaurant
chain. They were uncovered by AppBugs, a developer of a free Android app
that spots dangerous apps installed on users' handsets.

AppBugs CEO Rui Wang told Ars that the Match.com app uses unencrypted
hypertext transfer text protocol when sending user passwords, making it
trivial for people in a position to monitor the traffic—such as someone
on the same Wi-Fi network—to read the credentials. Other apps, such as
NBA Game Time and those from Safeway and PizzaHut use HTTPS encryption
but don't implement it correctly. As a result, a man-in-the-middle
attacker can use a self-signed or otherwise fraudulent digital
certificate to read the login data.

"As shown in the video demo, when the victim user logs into his League
Pass account in the app, a third party machine will be able to grab the
password and username," Wang wrote in an e-mail. "The attacker could be
some stranger who monitors the traffic of a public Wi-Fi or a
compromised router on the Internet which logs the traffic quietly."

NBA GameTime App.
Wang said the NBA app requires an NBA League Pass Account, which
according to this official NBA video costs $199. He said his company
reported the vulnerability to the app developer in late February but
never got a response. The developers of the Match.com, Safeway, and
PizzaHut apps, as well as more than 50 other apps, similarly failed to
respond. In all, Wang said he discovered 100 apps that didn't
HTTPS-protect login credentials, only 28 of which have since been fixed.

ANDROID APPS STILL SUFFER GAME-OVER HTTPS DEFECTS 7 MONTHS LATER
Apps with 350 million downloads fail to detect simple man-in-the-middle
attack.
Although it wouldn't be hard for Google to detect such shortcomings in
the apps it makes available on its own servers, there's no indication
that the company does that. The results come a couple months after
student researchers at City College of San Francisco found Android apps
collectively downloaded at least 350 million times suffered similarly
fatal HTTPS flaws. They also come after a critical bug in a popular code
library for iOS developers caused fatal HTTPS failures in an estimated
1,500 apps for iPhones and iPads. The results make it clear that Android
users, and to some extent, iOS users too, are on their own when it comes
to ensuring the safety of the apps they install on their devices.
--
Slimer
Proud "wintroll"
Encrypt.

Slimer wrote:
Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/

Researchers have unearthed dozens of Android apps ---- in the official
Google Play store ---- that expose user passwords because the apps fail
to properly implement HTTPS encryption during logins or don't use it at
all.

The roster of faulty apps have more than 200 million collective
downloads from Google Play and have remained vulnerable even after
developers were alerted to the defects. The apps include the official
titles from the National Basketball Association, the Match.com dating
service, the Safeway supermarket chain, and the PizzaHut restaurant
chain. They were uncovered by AppBugs, a developer of a free Android app
that spots dangerous apps installed on users' handsets.

AppBugs CEO Rui Wang told Ars that the Match.com app uses unencrypted
hypertext transfer text protocol when sending user passwords, making it
trivial for people in a position to monitor the traffic—such as someone
on the same Wi-Fi network—to read the credentials. Other apps, such as
NBA Game Time and those from Safeway and PizzaHut use HTTPS encryption
but don't implement it correctly. As a result, a man-in-the-middle
attacker can use a self-signed or otherwise fraudulent digital
certificate to read the login data.

"As shown in the video demo, when the victim user logs into his League
Pass account in the app, a third party machine will be able to grab the
password and username," Wang wrote in an e-mail. "The attacker could be
some stranger who monitors the traffic of a public Wi-Fi or a
compromised router on the Internet which logs the traffic quietly."

NBA GameTime App.
Wang said the NBA app requires an NBA League Pass Account, which
according to this official NBA video costs $199. He said his company
reported the vulnerability to the app developer in late February but
never got a response. The developers of the Match.com, Safeway, and
PizzaHut apps, as well as more than 50 other apps, similarly failed to
respond. In all, Wang said he discovered 100 apps that didn't
HTTPS-protect login credentials, only 28 of which have since been fixed.

ANDROID APPS STILL SUFFER GAME-OVER HTTPS DEFECTS 7 MONTHS LATER
Apps with 350 million downloads fail to detect simple man-in-the-middle
attack.
Although it wouldn't be hard for Google to detect such shortcomings in
the apps it makes available on its own servers, there's no indication
that the company does that. The results come a couple months after
student researchers at City College of San Francisco found Android apps
collectively downloaded at least 350 million times suffered similarly
fatal HTTPS flaws. They also come after a critical bug in a popular code
library for iOS developers caused fatal HTTPS failures in an estimated
1,500 apps for iPhones and iPads. The results make it clear that Android
users, and to some extent, iOS users too, are on their own when it comes
to ensuring the safety of the apps they install on their devices.

I must be stupid or something but Does Windows 8 have anything to do
with android.Android is google and that is less secure than windows.Why
don't you go peddle your BS someplace else.

On 2015-06-20 4:39 PM, Dino wrote:
Slimer wrote:
Remember kids, Linux is _secure_ and Android is the best evidence of
that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/

Researchers have unearthed dozens of Android apps ---- in the official
Google Play store ---- that expose user passwords because the apps
fail to properly implement HTTPS encryption during logins or don't use
it at all.

The roster of faulty apps have more than 200 million collective
downloads from Google Play and have remained vulnerable even after
developers were alerted to the defects. The apps include the official
titles from the National Basketball Association, the Match.com dating
service, the Safeway supermarket chain, and the PizzaHut restaurant
chain. They were uncovered by AppBugs, a developer of a free Android
app that spots dangerous apps installed on users' handsets.

AppBugs CEO Rui Wang told Ars that the Match.com app uses unencrypted
hypertext transfer text protocol when sending user passwords, making
it trivial for people in a position to monitor the traffic—such as
someone on the same Wi-Fi network—to read the credentials. Other apps,
such as NBA Game Time and those from Safeway and PizzaHut use HTTPS
encryption but don't implement it correctly. As a result, a
man-in-the-middle attacker can use a self-signed or otherwise
fraudulent digital certificate to read the login data.

"As shown in the video demo, when the victim user logs into his League
Pass account in the app, a third party machine will be able to grab
the password and username," Wang wrote in an e-mail. "The attacker
could be some stranger who monitors the traffic of a public Wi-Fi or a
compromised router on the Internet which logs the traffic quietly."

NBA GameTime App.
Wang said the NBA app requires an NBA League Pass Account, which
according to this official NBA video costs $199. He said his company
reported the vulnerability to the app developer in late February but
never got a response. The developers of the Match.com, Safeway, and
PizzaHut apps, as well as more than 50 other apps, similarly failed to
respond. In all, Wang said he discovered 100 apps that didn't
HTTPS-protect login credentials, only 28 of which have since been fixed.

ANDROID APPS STILL SUFFER GAME-OVER HTTPS DEFECTS 7 MONTHS LATER
Apps with 350 million downloads fail to detect simple
man-in-the-middle attack.
Although it wouldn't be hard for Google to detect such shortcomings in
the apps it makes available on its own servers, there's no indication
that the company does that. The results come a couple months after
student researchers at City College of San Francisco found Android
apps collectively downloaded at least 350 million times suffered
similarly fatal HTTPS flaws. They also come after a critical bug in a
popular code library for iOS developers caused fatal HTTPS failures in
an estimated 1,500 apps for iPhones and iPads. The results make it
clear that Android users, and to some extent, iOS users too, are on
their own when it comes to ensuring the safety of the apps they
install on their devices.

I must be stupid or something but Does Windows 8 have anything to do
with android.Android is google and that is less secure than windows.Why
don't you go peddle your BS someplace else.

I actually posted it to the wrong group and I apologize.

--
Slimer
Proud "wintroll"
Encrypt.

Android is Linux.

"Dino" escreveu na mensagem ...

I must be stupid or something but Does Windows 8 have anything to do
with android.Android is google and that is less secure than windows.Why
don't you go peddle your BS someplace else.

Bob Mcwire wrote:
Android is Linux.

"Dino" escreveu na mensagem ...

I must be stupid or something but Does Windows 8 have anything to do
with android.Android is google and that is less secure than windows.Why
don't you go peddle your BS someplace else.

Linux is only the kernel.What people add on to it makes a distro or app.

Wish I could argue with conviction about Linux, just heard Android is based
on Linux.

"Dino" escreveu na mensagem ...

Bob Mcwire wrote:
Android is Linux.

"Dino" escreveu na mensagem ...

I must be stupid or something but Does Windows 8 have anything to do
with android.Android is google and that is less secure than windows.Why
don't you go peddle your BS someplace else.

Linux is only the kernel.What people add on to it makes a distro or app.

On 06/20/2015 09:12 PM, basic user wrote:
Wish I could argue with conviction about Linux, just heard Android is
based on Linux.

"Dino" escreveu na mensagem ...

Bob Mcwire wrote:
Android is Linux.

"Dino" escreveu na mensagem ...

I must be stupid or something but Does Windows 8 have anything to do
with android.Android is google and that is less secure than windows.Why
don't you go peddle your BS someplace else.

Linux is only the kernel.What people add on to it makes a distro or app.

You can't argue over Linux because true users are like Me and I don't
care what anybody says I use it and like it.I usually triple boot and if
only windows can do what I want I use it also.I don't know which one is
better as long as it gets my stuff done.

You should care what people say, especially if those people have something
to teach you. I don't know either which system is better just because I
never felt the need to use Linux.

On 06/20/2015 09:12 PM, basic user wrote:
Wish I could argue with conviction about Linux, just heard Android is
based on Linux.

Bob Mcwire wrote:
Android is Linux.

"Dino" escreveu na mensagem ...

I must be stupid or something but Does Windows 8 have anything to do
with android.Android is google and that is less secure than windows.Why
don't you go peddle your BS someplace else.

"Dino" escreveu na mensagem ...

Linux is only the kernel.What people add on to it makes a distro or app.

"Dino" escreveu na mensagem ...

You can't argue over Linux because true users are like Me and I don't
care what anybody says I use it and like it.I usually triple boot and if
only windows can do what I want I use it also.I don't know which one is
better as long as it gets my stuff done.

Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

--
Slimer
Proud "wintroll"
Encrypt.

Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of add-ons
that are crap code, spyware (sometimes announced, sometimes not),
conflicts with other add-ons (to reduce stability), have been abandoned,
or have severe problems. Mozilla claims to have a review process but it
doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded programs.
Microsoft pushes updates that cause severe problem, even to the point of
prevent the bootup of Windows. The drivers pushed by Windows Update may
not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have bugs
that can not only crash the game but halt the OS even after applying
patches. I doubt that everything at the Apple Store is "clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by someone
else is like asking your ISP to ensure that all web traffic to your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

On Sun, 21 Jun 2015 00:53:00 -0500, VanguardLH wrote:

Even with review process, if present, asking a software distribution
center to ensure[*] all software from their site that is written by someone
else is like asking your ISP to ensure that all web traffic to your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

* He means 'validate'.

Maybe it should be?

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of add-ons
that are crap code, spyware (sometimes announced, sometimes not),
conflicts with other add-ons (to reduce stability), have been abandoned,
or have severe problems. Mozilla claims to have a review process but it
doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded programs.
Microsoft pushes updates that cause severe problem, even to the point of
prevent the bootup of Windows. The drivers pushed by Windows Update may
not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have bugs
that can not only crash the game but halt the OS even after applying
patches. I doubt that everything at the Apple Store is "clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by someone
else is like asking your ISP to ensure that all web traffic to your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

Actually yes, it IS their bug to make sure that any software being made
available in the Store isn't malware. It is ridiculous for you to claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.


--
Slimer
Proud "wintroll"
Encrypt.

On Sun, 21 Jun 2015 10:12:13 -0400, Slimer wrote:

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of
that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux.
So Linux (the variant of which you don't bother to mention) is secure
but Linux (Android OS) is not secure. Uh huh. Looks like you wanted
to slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of
add-ons that are crap code, spyware (sometimes announced, sometimes
not), conflicts with other add-ons (to reduce stability), have been
abandoned,
or have severe problems. Mozilla claims to have a review process but
it doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded
programs.
Microsoft pushes updates that cause severe problem, even to the point
of prevent the bootup of Windows. The drivers pushed by Windows Update
may not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have
bugs that can not only crash the game but halt the OS even after
applying patches. I doubt that everything at the Apple Store is
"clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by
someone else is like asking your ISP to ensure that all web traffic to
your host is safe, not in a category you find offensive, and is always
legal. That's not really their job.

Actually yes, it IS their bug to make sure that any software being made
available in the Store isn't malware. It is ridiculous for you to claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.

But your original post was meant to take a crack at Linux, now you are
trying to backtrack. Also that of which you complain is not malware, it's
poorly written software.

On 2015-06-21 11:43 AM, dave wrote:
On Sun, 21 Jun 2015 10:12:13 -0400, Slimer wrote:

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of
that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux.
So Linux (the variant of which you don't bother to mention) is secure
but Linux (Android OS) is not secure. Uh huh. Looks like you wanted
to slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of
add-ons that are crap code, spyware (sometimes announced, sometimes
not), conflicts with other add-ons (to reduce stability), have been
abandoned,
or have severe problems. Mozilla claims to have a review process but
it doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded
programs.
Microsoft pushes updates that cause severe problem, even to the point
of prevent the bootup of Windows. The drivers pushed by Windows Update
may not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have
bugs that can not only crash the game but halt the OS even after
applying patches. I doubt that everything at the Apple Store is
"clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by
someone else is like asking your ISP to ensure that all web traffic to
your host is safe, not in a category you find offensive, and is always
legal. That's not really their job.

Actually yes, it IS their bug to make sure that any software being made
available in the Store isn't malware. It is ridiculous for you to claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.

But your original post was meant to take a crack at Linux, now you are
trying to backtrack. Also that of which you complain is not malware, it's
poorly written software.

The original post was meant for comp.os.linux.advocacy where the Linux
advocates tout Android's success as evidence that Linux won. They deny
the fact that Linux-based Android is filled with malware and that Linux
code was responsible for widespread problems like HeartBleed. That
article shows that yes, Linux-based Android is indeed filled with bad
code in addition to its malware problem.

I'm not backtracking anything.

--
Slimer
Proud "wintroll"
Encrypt.