tl;dr: 8% of the top 13k apps don't verify SSL certificates.<p><i>The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a "static analysis." Those tests checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."</i><p><snip><p><i>The paper made no attempt to measure the security provided by apps available for Apple's competing iOS platform. One possible reason the researchers focused on Android apps exclusively is that the openness of the Google platform made it easier to perform static analysis. That, in turn, made it possible to zero in on the apps with SSL implementations that exposed sensitive user data. It would be interesting to see the results of a similar analysis performed on the 13,000 most popular iPhone apps.</i>