Six German academics have just published a very detailed and systematic paper about web security on Android.
Catchily entitled Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security, the paper sets out, amongst other things, to answer the question, “Just how well-informed are Android developers, and how much can we trust them to do web security properly?”
As you can imagine from the title, the answer is, “Not enough.”
By the way, in cryptographic documentation, Alice and Bob are always the two parties who want to communicate (longhand for A and B), while Eve is the eavesdropper, and Mallory (who is sometimes known as Mallet) is the malicious man-in-the-middler.
→ A man-in-the-middle (MITM) attack is devious but simple. I trick you into connecting to me, instead of, say, to your bank. You do a transaction, but I suck up all the data: username, account number, token code, the lot. I then immediately use this data, while it’s still valid, to transact with your bank. Except that I pay the money to myself.
So, if the Eves and Mallories of the world really love Android, as the authors claim, that’s bad news.