Game-over HTTPS defects in dozens of Android apps expose user passwords

Researchers have unearthed dozens of Android apps in the official Google Play store that expose user passwords because the apps fail to properly implement HTTPS encryption during logins or don't use it at all.

The roster of faulty apps have more than 200 million collective downloads from Google Play and have remained vulnerable even after developers were alerted to the defects. The apps include the official titles from the National Basketball Association, the dating service, the Safeway supermarket chain, and the PizzaHut restaurant chain. They were uncovered by AppBugs, a developer of a free Android app that spots dangerous apps installed on users' handsets.

AppBugs CEO Rui Wang told Ars that the app uses unencrypted hypertext transfer text protocol when sending user passwords, making it trivial for people in a position to monitor the traffic—such as someone on the same Wi-Fi network—to read the credentials. Other apps, such as NBA Game Time and those from Safeway and PizzaHut use HTTPS encryption but don't implement it correctly. As a result, a man-in-the-middle attacker can use a self-signed or otherwise fraudulent digital certificate to read the login data.

Read 3 remaining paragraphs | Comments