SSL Security Deliberately Broken in Many Mobile Apps

Recent findings from Symantec show that some mobile app developers are deliberately breaking the secure communication channel between the browser and the server, allowing potentially private data to be sent via insecure SSL connections.

As Symantec explains, the little padlock shown in your browser indicates a secure communication channel between the browser and the server, meaning the connection is encrypted and your data is safe. When the lock is broken, however, any data sent to the server is easily visible and can be intercepted or compromised.

In their survey of hundreds of thousands of mobile apps in public app stores, Symantec found that “those that were breaking the lock were usually doing so intentionally. In addition, users are often none the wiser when it comes to this developer activity.” 

Symantec’s findings show “7% percent of iOS and 3.4% of Android mobile apps intentionally break the lock, actively transferring data to insecure network servers and disabling SSL validation.” Additionally, although vulnerable apps were found across all categories, gaming and financial apps topped the list. 

Comments