Mobile Security Apps Patch Holes
Wednesday, September 9, 2015 @ 02:09 PM gHale
Avira and Webroot patched their mobile security applications for iOS to address vulnerabilities that could lead to man-in-the-middle (MitM) attacks.
There is a SSL certificate hole in Webroot Mobile Protection for iOS, said Security researcher David Coomber who discovered the vulnerability. The app, part of the SecureAnywhere Business suite, provides essential security for iPhones and iPads, and includes features that allow IT teams to manage and secure their mobile workforce from a central console.
Webroot Mobile Protection versions 1.10.316 and prior don’t validate the SSL certificates received when connecting to secure websites, Coomber said in an advisory.
This could allow an MitM attacker to inject a rogue SSL certificate into the victim’s session and silently intercept usernames, passwords, and other sensitive information.
The vulnerability came into Webroot August 2 and it ended up patched on August 31 with the release of Webroot Mobile Protection 1.11.
Coomber has identified a similar vulnerability in Avira Mobile Security for iOS, an app designed for email protection and lost device recovery.
Avira Mobile Security versions 1.5.7 and prior send login information via an HTTP POST request. This allows an MitM attacker to capture usernames, passwords and other sensitive information.
Coomber said the password does use hashing, but since the MD5 algorithm sees use in the task, it’s easy for a malicious hacker to crack the password.
The researcher reported the flaw to Avira July 17 and the security firm patched it on September 3 with the release of Avira Mobile Security 1.5.11.