Many Android and iOS apps still vulnerable to FREAK attacks
Your browser may no longer be vulnerable to FREAK attacks, but what about the mobile apps you use? According to FireEye researchers, who have tested the most popular apps both for Android and for iOS, a considerable number of them are left open to a FREAK attack, as they contain vulnerable versions of the OpenSSL and SecureTransport libraries.
“Even after vendors patch Android and iOS, such apps are still vulnerable to FREAK when connecting to servers that accept RSA_EXPORT cipher suites. That’s why some iOS apps are still vulnerable to FREAK attack after Apple fixed the iOS FREAK vulnerability in iOS 8.2 on March 9,” the researchers explained.
The numbers are as follows:
- Of the 10,985 popular Google Play Android apps tested, 1228 (11.2%) of them are vulnerable. These apps have been downloaded over 6.3 billion times.
- Of the 14,079 popular Apple App Store iOS apps, 771 (5.5%) are vulnerable. “These apps are vulnerable to FREAK attacks on iOS versions lower than 8.2. Seven these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2,” the researchers noted.
Launching a FREAK attack is not that difficult. An attacker can intercept the encrypted traffic between the mobile app and backend server via a number of techniques, record it and decrypt it at his lesure, accessing thus the confidential information exchanged between the app and the server.
Depending on the nature of the app, this information may include personal and financial information, healthcare information, login credentials, as shown in this screenshot:
The researchers urged app developers and website admins for fix this issue as soon as possible.
Server admins can check whether their server is vulnerable via this tool. If it is, disabling support for TLS export cipher suites as well as other other cipher suites that are known to be insecure is a good idea, and so is enabling forward secrecy.
Developers should make sure that the TLS libraries their apps use – whether it’s OpenSSL, Microsoft Schannel, or Apple SecureTransport – are up to date.
Unfortunately, there is not much app users can do about this problem, except hope that developers will heed this warning.