"Many Mobile Apps Intentionally Using Insecure Connections for Sending Data"

A new study by Symantec analyzed hundreds of thousands of Android and iOS apps released to Google Play and Apple's App Store between 2017 and 2021. The study's goal was to identify apps breaking the green padlock, which indicates a secure communication channel between the user's browser and the server, and apps that disable features such as App Transport Security (ATS) for iOS developed to improve privacy and data integrity. Findings from the study reveal that many mobile application developers are intentionally disabling secure HTTPS protections when sending data from a user's browser to the server, thus leaving sensitive data vulnerable to being intercepted and compromised by attackers. One reason for this seems to be to facilitate the delivery of advertisements through the apps. The study showed that 7 percent of iOS apps and 3.4 percent of Android apps deliberately break the green padlock. Symantec found that these apps are actively sending data to insecure network servers and disabling SSL validation. According to Symantec, the volume of iOS apps with these behaviors has not declined as more iOS apps (45,158 out of 593,208) were found exhibiting dangerous behavior in 2020 than in previous years. On the other hand, the volume of Android apps breaking the padlock has been decreasing, with a drop from 5 percent in 2017 to 2.4 percent currently. A total of 12,243 out of 249,640 Android apps were found to be vulnerable in 2017. There are currently 2,376 out of 99,170 Android apps that break the padlock. Apps breaking HTTPS protections spanned multiple categories, such as gaming and finances. This article continues to discuss key findings from Symantec's analysis of iOS and Android apps.

Dark Reading reports "Many Mobile Apps Intentionally Using Insecure Connections for Sending Data"