“Gartner Listed - mobile application security guide”

January 18, 2017

“Encrypted” apps on the Play Store?

The Play Store has a lot of apps that claim to be secure, however, a lot use poorly implemented encryption, and low standards of Android app security, just for the sake of getting the “secure app” label, with non-existent Android app security testing.

The claim was made by two researchers from the University of Strathclyde, James Irvine and Greig Paul, who did Android app security testing of “secure apps” and their claims for encryption in detail. The pair selected nine apps for their research – some of them developed by “Top Developers” endorsed by Google – and tested their claims of protecting photos, videos, and passwords through encryption. Surprisingly, these ad-funded apps were unable to prove that the applied encryption tools were catering to the required Android app security standard.

All the nine apps under study came out with major security vulnerabilities. While some apps did not even bother encrypting files at all, others encrypted them through a static key which remained the same wherever the app is implemented. This could allow any hacker with basic cracking skills to unlock the key and decipher the information.

The researchers used a “known plaintext attack” to find the static key of the Video Locker app by Handy Apps. A PIN code used along with the static key was also easily discoverable. Another app called Password Locker by the same app developers had similar vulnerabilities. This app poses an even more serious threat since not only does it put passwords at risk but also gives the user an option to synchronise with Google or Dropbox accounts. Another app, Video Locker Advanced that claims to deploy techniques of fast encryption uses no such techniques and only flips the first hundred bits of the file. Also, it was noted that all the nine apps were not open source, which should not be the case especially for security related apps.

Google does not seem to be much interested in improving Android app security as it has not taken any action against misleading app developers. It needs to take strict measures against any misrepresentation of apps and raise the criteria for “top developer” status, particularly for security apps.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.