Android, iOS Apps Vulnerable to FREAK

Thursday, March 19, 2015 @ 02:03 PM gHale

Android and iOS apps used for various device functions are susceptible to the FREAK attack that weakens the encryption used for protecting the traffic to the server, officials said.

Attackers intercepting secure connections (HTTPS) between vulnerable clients and servers can force the communication to end up encrypted with a 512-bit RSA key, which is possible to break in a matter of hours for about $100 in renting cloud computing power.

OpenSSL Patching Vulnerabilities
Apple Gets the FREAK Out
Patch Tuesday Features FREAK Focus
FREAK Affects All Windows Versions

So far, security researchers at FireEye found 1,999 iOS and Android apps that may be susceptible. They analyzed 10,985 apps in Google Play, each with at least one million downloads, and discovered 1,228 were vulnerable to the FREAK (Factoring RSA Export Keys) attack made public at the beginning of the month.

This is a result of using a vulnerable build of OpenSSL cryptographic library, either the one included in Android (Google has yet to update the OS with a safe revision) or a version bundled into the app.

Researchers said 664 of the discovered vulnerable apps rely on the OpenSSL provided by Android, while the rest of 564 work with their own version of the library.

Things are slightly better on iOS as FireEye found 771 apps out of 14,079 that contacted vulnerable servers. Thanks to the patch from Apple March 9 that fixed the flaw in Secure Transport, all these products can suffer exploitation in iOS earlier than 8.2.

However, seven of the apps do not use Apple’s Secure Transport for traffic encryption and rely on an older OpenSSL, which makes them vulnerable even if the latest operating system update ended up installed on the device.

The mobile software currently affected by the FREAK vulnerability are from categories ranging from photo and video, lifestyle, social networking, and health and fitness to finance, communication, shopping and business, FireEye researchers said in a blog post.

All these contain sensitive information such as account log-in credentials, data related to online banking or productivity, as well as medical details.

The researchers also provided attack scenarios where they managed to extract log-in and credit card info from apps affected by the FREAK vulnerability.

Leave a Reply

You must be logged in to post a comment.