Like the SSL Certificate Validation Issues mentioned before, otherwise benign Android apps can be vulnerable to attacks against SSL/TLS misuse.
Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, and Bernd Freisleben's paper Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security have developed a tool to help them assess man-in-the-middle (MITM) attacks. They used this to asses 13,500 popular free apps and discovered that over a thousand of them were susceptible to this type of attack.
Misuse cases covering trusting all certificates, allowing all hostnames, trusting many Certificate Authorities (CA) and mixed-mode/no SSL are discussed. The paper has many useful references, and pointers to some tools that can be used to assess the use of SSL/TLS in Android applications.
Posted on: 01 February 2013 at 10:28 hrs