The most common approach to protect data during communication on the Android platform is to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. To evaluate the state of SSL use in Android apps, we downloaded the 13,500 most popular free apps from Google's Play Market and studied their properties with respect to the usage of SSL. In particular, we analyzed the apps' vulnerability against Man-in-the-Middle (MITM) attacks due to the inadequate or incorrect use of SSL.

The results of our investigations can be summarized as follows:

- 1,074 apps contain SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks.

- 41 of the 100 apps selected for manual audit were vulnerable to MITM attacks due to various forms of SSL misuse.

- The cumulative install base of the apps with confirmed vulnerabilities against MITM attacks lies between 39.5 and 185 million users, according to Google's Play Market. Actually Google's Play Market does not give a precise number of installs, instead giving a range. The actual number is likely to be larger, since alternative app markets for Android also contribute to the install base.

- From these 41 apps, we could for example capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime.

- We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.

- It was possible to remotely inject and execute code in an app created by a vulnerable app building framework.

- 378 (50.1%) of the 754 Android users participating in the online survey did not judge the security state of a browser session correctly.

- 419 (55.6%) of the 754 participants had not seen a certificate warning before and typically rated the risk they were warned against as medium to low.