Android apps 'leak' personal details Published duration 22 October 2012

image caption Better tools are needed to help developers secure data, say researchers

Millions of people are using Android apps that can be tricked into revealing personal data, research indicates.

These apps failed to implement standard scrambling systems, allowing "man-in-the-middle" attacks to reveal data that passes back and forth when devices communicate with websites.

Google has yet to comment on the research and its findings.

Researchers from the security group at Leibniz University of Hanover and the computer science department at the Philipps University of Marburg tested the most popular apps in Google's Play store.

By creating a fake wi-fi hotspot and using a specially created attack tool to spy on the data the apps sent via that route, the researchers were able to:

capture login details for online bank accounts, email services, social media sites and corporate networks

disable security programs or fool them into labelling secure apps as infected

inject computer code into the data stream that made apps carry out specific commands

An attacker could even re-direct a request to transfer funds, while making it look to the app user like the transaction was proceeding unchanged.

Some of the apps tested had been downloaded millions of times, the researchers said.

And a follow-up survey of 754 people suggests users could struggle to spot when they were at risk.

"About half of the participants could not judge the security state of a browser session correctly," the researchers wrote.