Android Apps Susceptible to Man-in-the-Middle Attacks


Recently an online security company named FireEye published an alarming blog post about how many Android apps are susceptible to man-in-the-middle (MITM) attacks. Of the 1,000 most downloaded apps on Google Play, FireEye found that 68% had at least one serious vulnerability.

Who’s This Man-in-the-Middle?

First, a short primer on MITM: this kind of attack happens when a hacker inserts his computer between your device and the web server you (or in this case, your Android app) are trying to communicate with.

Your app thinks it is communicating with the app’s web server, but in fact, all of your personal information is being sent directly to the hacker’s computer. Mobile apps need to communicate with remote servers in order to function. In order to do this, most apps use HTTPS, or Hypertext Transfer Protocol Secure. SSL, or Secure Sockets Layer, is the technology behind HTTPS (along with TLS, Transport Layer Security). SSL/TLS creates an encrypted link between the Android app and the server which, in theory, ensures that all data passed between them remains private.

The problem is that some Android apps are not using the SSL libraries and methods properly, which exposes them to possible MITM attacks.

Android App Vulnerabilities

Below are the two kinds of SSL vulnerabilities that FireEye found in some of the most popular Android apps:

  • Not checking server certificates: Some apps were not checking the server certificates, which basically validates that the server is who it says that it is. Without this, the app has no idea if the server is legitimate or not. If the hacker has staged a MITM attack, the app has no idea. Website and server certificates are managed by a known and trusted Certifying Authority (CA).
  • Not verifying the hostname of the server: Just checking a server’s certificate is not enough, though, as the hacker may have been able to steal this. The app must also be able to validate that the hostname on the certificate matches the server’s hostname. Without this, there’s no way for the app to know if it has been redirected to another website.

FireEye found that a whopping 73% of the 1,000 most downloaded free Android apps in Google Play do not check server certificates when communicating with the server. Further, 77% of those apps ignore any SSL errors generate when communicating with the app server.

Protect Your Android Device Using a VPN

Luckily, there is a solution. If you use an Android phone, you can safeguard all of your information by using a VPN like PRIVATE WiFi. A VPN protects all of the information coming into and out of your mobile device, so even if a hacker were able to intercept it, it would be gibberish.

So while Android apps may be susceptible to man-in-the-middle attacks, PRIVATE WiFi lets you be sure that none of the personal information sent by any of your apps can be stolen by hackers.

And that should let you rest a little easier.


Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Jared Howe

Jared Howe is PRIVATE WiFi’s Senior Manager, Product Marketing Communications. Working in high tech for over 15 years, Jared currently lives in Seattle with his wife, daughter, and their two cats.

1 Response

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.