That same year another team of researchers from the Leibniz University of Hannover and Philipps University of Marburg in Germany analyzed 13,500 popular Android applications from Google Play and found that 1,074 of those applications contained SSL code that either accepted all certificates — including self-signed ones — or accepted certificates issued by legitimate authorities for domain names different than the ones the apps connected to.
It doesn't seem things have changed too much over the past two years. Researchers from security firm IOActive recently analyzed mobile banking apps for iOS devices from 60 financial institutions from around the world and found that while most of them used SSL, 40 percent of them did not did not validate the authenticity of digital certificates they received from servers, making them vulnerable to man-in-the-middle attacks.
Some of the self-signed certificates found by Netcraft tried to mimic legitimate certificates down to the name of certificate authorities that supposedly issued them, which suggests they were specifically created for malicious purposes.
One rogue certificate for *.google.com was crafted to appear as if it were issued by America Online Root Certification Authority 42, closely mimicking a legitimate AOL CA trusted in all browsers, the Netcraft researchers said.
A certificate for login.iqbank.ru claimed to have been issued by Thawte, another legitimate certificate authority, and the rogue certificate for qiwi.ru claimed it had been issued by SecureTrust, a CA operated by Trustwave. The certificate for *.itunes.apple.com was crafted to appear as if it was signed by VeriSign.
This is in clear contrast with some self-signed certificates for high-profile domain names that were also found, but don't appear to be serving a malicious purpose. One such certificate, issued for several Google-owned domains, was signed by a made-up certificate authority called Kyocast Root CA. KyoCast is a third-party modification for rooted Chromecast devices that allows them to access services outside of Google. It intentionally redirects connections that should normally go to Google's services to servers operated by KyoCast and the self-signed the certificate is used in that operation.
There have been signs lately of cybercriminals becoming interested in large-scale man-in-the-middle attacks. The Polish Computer Emergency Response Team (CERT Polska) reported last week that attackers were exploiting vulnerabilities in home routers in Poland to change their DNS settings and intercept online banking traffic from users.
Those particular attacks used a technique called SSL stripping to overcome banks using HTTPS on their sites, but certificate chain validation weaknesses in mobile banking apps could easily be exploited to achieve the same result, and with fewer indications to victims that an attack is in progress.
Sign up for Computerworld eNewsletters.