Patch a Mobile Flaw? Not so Fast

Thursday, February 26, 2015 @ 03:02 PM gHale

Along the lines of not learning from the past: The most popular mobile apps found vulnerable to man-in-the-middle attacks (MitM) attacks last year remain open to attacks this year, new research found.

Last September, the Computer Emergency Response Team (CERT) at Carnegie Mellon University found more than 20,000 Android applications failed to validate SSL certificates, leaving users vulnerable to attackers.

Finding a Balance: Managing OT Cyber Risk
Employee Training Boosts Security
Cyber Attacks Top Continuity Threat
Complex Security Should be Easy

Looking at the environment today, almost three-quarters of the 25 most downloaded apps on CERT’s list remain unpatched, according to a report from Intel Security’s McAfee Labs.

“Specifically, we dynamically tested the top 25 downloaded mobile apps that had been identified as vulnerable by CERT in September to ensure that usernames and passwords are no longer visible as a result of improper verification of SSL certificates,” according to the McAfee report. “To our surprise, even though CERT notified the developers months ago, 18 of the 25 most downloaded vulnerable apps that send credentials via insecure connections are still vulnerable to MITM attacks.”

“The most downloaded vulnerable app in this group is a mobile photo editor with between 100 million and 500 million downloads,” the report said. “The app allows users to share photos on several social networks and cloud services. In late January, McAfee Labs tested the most current version of the app downloaded from Google Play using CERT Tapioca; we were able to intercept the app’s username and password credentials entered to log into the cloud service to share and publish photos.”

While the researchers did not find evidence these apps suffered from any exploitation, the total downloads for the apps ranges into the hundreds of millions.

“Mobile devices have become essential tools for home to enterprise users as we increasingly live our lives through these devices and the applications created to run on them,” said Vincent Weafer, senior vice president of McAfee Labs, part of Intel Security. “Digital trust is an imperative for us to truly engage with and benefit from the functionality they can provide. Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programming practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them.”

The latest findings were included in the McAfee Labs Threat Report: February 2015, which also revealed that mobile malware samples jumped 14 percent during the final quarter of 2014.

Click here to read the full report.

Leave a Reply

You must be logged in to post a comment.