Mobile apps left vulnerable for months
McAfee Labs researchers found that mobile app providers have been slow to address the most basic SSL vulnerabilities: improper digital certificate chain validation.
In September 2014, the CERT at Carnegie Mellon University released a list of mobile apps possessing this weakness, including apps with millions of downloads to their credit. In January, McAfee Labs tested the 25 most popular apps on CERT’s list of vulnerable mobile apps that send login credentials through insecure connections and found that 18 still have not been patched despite public disclosure, vendor notification, and, in some cases, multiple version updates addressing concerns other than security.
Researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third party services.
The most downloaded vulnerable app in this group is a mobile photo editor with between 100 million and 500 million downloads. The app allows users to share photos on several social networks and cloud services. In late January, McAfee Labs tested the most current version of the app downloaded from Google Play using CERT Tapioca. They were able to intercept the app’s username and password credentials entered to log into the cloud service to share and publish photos.
Although there is no evidence that these mobile apps have been exploited, the cumulative number of downloads for these apps ranges into the hundreds of millions. Given these numbers, the choice by mobile app developers to not patch the SSL vulnerabilities has potentially put millions of users at risk of becoming targets of MITM attacks.
“Mobile devices have become essential tools for home to enterprises users as we increasing live our lives through these devices and the applications created to run on them,” said Vincent Weafer, SVP of McAfee Labs, part of Intel Security.
“Digital trust is an imperative for us to truly engage with and benefit from the functionality they can provide. Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programing practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them,” Weafer added.