A report on Tuesday points out that a recent SSL/TLS vulnerability dubbed "FREAK" is not restricted to Web browsers and can affect mobile apps, leaving hundreds of iOS apps open to potential man-in-the-middle attacks.
Security researchers at FireEye recently went through thousands of iOS and Android apps and found that while a bulk are not vulnerable to the "FREAK" (Factoring RSA Export Keys) attack, a significant number are, reports Ars Technica.
Specifically, 771 of the top 14,079 apps in the iOS App Store are open to attack, while 1,288 Android apps with one million plus downloads are similarly vulnerable. According to researchers, vulnerable apps use affected crypto libraries to connect to servers with weak encryption keys, which are apparently still in use today.
"As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user's login credentials and credit card information," FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei said. "Other sensitive apps include medical apps, productivity apps and finance apps."
Following FREAK's discovery, Apple issued patches for OS X, iOS and Apple TV, though apps running on hardware without the latest security update may still be exposed. FireEye said seven of the 771 iOS apps affected are even vulnerable with Apple's patch installed.
Discovered earlier in March, the FREAK exploit takes advantage of legacy support for decades-old — and deprecated — SSL/TLS encryption protocols. Malicious users can force an encryption downgrade to intercept secure communications and harvest sensitive data.
21 Comments
Here you go. Let the trolls begin.
The nice thing is that iOS itself is still secure.
This is why you use the built-in libraries instead of rolling your own. Here's to placing a small bet that the bulk of the vulnerable apps were written using craptastic cross-platform tools instead of native development.
The nice thing is that iOS itself is still secure.
It'll be nice if media outlets report it in such a way that the less-computer-literate
aren't encouraged to feel ?Pay is somehow compromised...
Recommend reading the linked article. Of the 771 vulnerable iOS apps identified, only 7 (yes seven) of those apps are vulnerable if you are running iOS 8.2 or newer on your device. Users should always put these sensationalist seeking articles in the proper perspective. These are vulnerabilities, which does not imply that someone is actually engaged in exploiting these vulnerabilities. Plus, the article also adds a caveat that to be exploited the servers have to be using weak SSL encryption. What percentage of servers are we talking about and how much does that now lower the 7 number to something even smaller. When all is said and done I'd bet that more iPhones get dropped in toilets than get impacted by this vulnerability. I expect that there are far worse vulnerabilities in the NSA's cache of cyberweapons that make this one seem insignificant. I'm not going to lose any sleep over this one. The article doesn't give quantifiable data that indicates the percentage of vulnerable apps using a measurable scale that applies equally to iOS and Android. Not sure why, but raises doubts about their credibility.