How a hidden Android bug could endanger your personal data

In 2023, Android devices accounted for over 72% of the global smartphone market, highlighting the critical importance of security in these widely used devices. A recent discovery by researchers at Concordia’s Gina Cody School of Engineering and Computer Science exposes a vulnerability that affects millions of Android users.

The team, consisting of researchers Sajjad Pourali, Xiufen Yu and Professors Mohammad Mannan and Amr Youssef, along with Professor Lianying Zhao from Carleton University, uncovered a widespread problem in how Android apps verify the security of their connections to the internet—a process known as TLS certificate validation. TLS, or Transport Layer Security, is the standard technology that ensures a secure and encrypted link between an app and its servers, safeguarding data from eavesdroppers.

The researchers found that many apps are not performing this security check properly. This issue occurs when the default functions that perform such security check are incorrectly overridden—either replaced with flawed security checks or, at times, not performed at all.

"The consequences of these insecure practices are severe,” warns Mannan who is a professor at the Concordia Institute for Information Systems Engineering. “Insecure TLS connections can lead to the exposure of personal information, login credentials, and even allow attackers to modify app content or inject malicious code."

They reviewed over 7,800 Android apps from both Google Play and the popular Chinese app store 360 Mobile Assistant. Shockingly, 55% of the apps from the Chinese store and 6% from Google Play had at least one insecure TLS connection.

The root cause? A modification in the OkHttp library, a fundamental component used by many Android apps to manage internet connections. This library was inadvertently modified by Google in a way that made it easy for app components or added libraries to bypass proper security checks.

In their study, researchers also found that 89% of the Chinese apps and 38% of the Google Play apps with TLS issues were using these insecure methods to transmit sensitive data like passwords and personal information.

According to the researchers, Google acknowledged the issue but expressed concerns that a fix might disrupt app compatibility across their ecosystem.

Their research will be presented in detail at the upcoming Usenix Security Symposium in Philadephia, USA. The team also plans to make Marvin, their diagnostic tool, available open-source, to assist developers and researchers in identifying and mitigating similar vulnerabilities.

Learn more about the Concordia Institute for Information Systems Engineering (CIISE)