Chester Wisniewski, senior security adviser for Sophos, said the problem often stems from an application developer who does not know how to properly implement SSL. Also, careless developers skip implementing SSL in the beta version of an app and never turn it on when the app becomes generally available.
"One of the problems with SSL is it's very fragile," Wisniewski said. "If you break any one piece of how it works because it's inconvenient, and disable (the component) or turn it off, then the whole thing is useless."
For companies, the research points to the importance of using virtual private networks when employees are accessing corporate email and data using a mobile device, Wisniewski said. "That way, it would be very difficult for somebody to man-in-the-middle it."
For consumers, Wisniewski recommended using the Chrome browser in an Android device or Apple Safari in the iPhone for sensitive transactions, when possible. The browsers have more reliable SSL implementations then apps.
In addition, people should avoid using public Wi-Fi networks for making purchases with a credit or debit card or accessing online banking, since most MITM attacks occur on such networks.
The latest research adds to the risks associated with Android devices. Because apps can be sold and distributed by anyone, a significant number have been found to be malware capable of stealing data, sending texts to paid services and distributing spam.
Despite the risks, wireless carriers and Android device makers continue to do a poor job at patching the software, recent studies show.
Sign up for CIO Asia eNewsletters.