In contrast to the web ecosystem, where after initial problems the encryption of HTTP connections through TLS has gained wide adoption, a considerable amount of Android applications still employ cleartext HTTP connections. This is particularly problematic in applications that transmit sensitive user information (e.g. account data) to a server. In this scenario, a man-in-the-middle attacker can almost effortlessly stealthily extract information, e.g. through an ARP spoofing or Evil Twin attack.
As part of this research project, we shine light on the general problem and describe in particular the situation of apps for the mobile operating system Android. To this end, we provide an overview of relevant scientific studies from the past before we introduce and discuss results from our own analysis on a data set of recent popular Android applications.