Mobile apps still vulnerable to FREAK attacks

Pierluigi Paganini March 19, 2015

Despite principal vendors have released updates to fix the FREAK vulnerability many mobile apps for Android and Apple iOS are still vulnerable.

Early March, security experts discovered a critical vulnerability codenamed FREAK (CVE-2015-0204), also known as Factoring Attack on RSA-EXPORT Keys, which could be exploited by threat actors to run  man-in-the-middle attacks on encrypted traffic when Internet users visited supposedly secured websites.

By exploiting the FREAK flaw an attacker can force clients to use older and weaker encryption, then he can crack the traffic protected with 512-bit key encryption in a few hours. Once decrypted the traffic a threat actor can steal sensitive information or launch an attack by injecting malicious code.

Yesterday OpenSSL Team announced the presence of another critical vulnerability in the library that will be fixed with by a new update anticipated with an official advisory. Which is actual exposure to FREAK attacks for iOS and Android applications?

FireEye firm has published the report  that reveal a disconcerting reality,  despite vendors issued patched for Android and iOS, several apps are still vulnerable to FREAK attacks when connecting to servers that accept RSA_EXPORT cipher suites. Many iOS apps are still vulnerable to FREAK attack despite Apple has recently the iOS 8.2 version for its mobile devices.

“Even after vendors patch Android and iOS, such apps are still vulnerable to FREAK when connecting to servers that accept RSA_EXPORT cipher suites,” states FireEye in a blog post “That’s why some iOS apps are still vulnerable to FREAK attack after Apple fixed the iOS FREAK vulnerability in iOS 8.2 on March 9.”

FireEye scanned 10,985 popular Google Play Android apps and discovered that nearly 11.2 percent are vulnerable to the FREAK attack because they use a vulnerable OpenSSL library.

These 1228 apps have been downloaded over 6.3 billion times. Of these 1228 Android apps (1,228 apps), 664 use Android’s bundled OpenSSL library and 564 have their own compiled OpenSSL library. All these OpenSSL versions are vulnerable to FREAK.

Analyzing the vulnerable apps the researchers discovered that 664 applications are using Android’s bundled OpenSSL library and 564 custom compiled library.

The situation is better for Apple devices, only 771 of 14,000 apps scanned resulted vulnerable.

“These apps are vulnerable to FREAK attacks on iOS versions lower than 8.2,” the researchers wrote. “Seven these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.” continues the report.

The researchers have grouped the apps into several categories (photo and video apps, lifestyle, social networking, health fitness, finance, communication, shopping, business and medical apps), in the following graph is reported the number of vulnerable apps by category.

 

mobile apps vulnerable to FREAK attack

The report includes an example of the tests executed by FireEye, the experts tries the exploitation of the FREAK vulnerability affecting a popular shopping app. The researchers exploited the flaw to successfully steal user’s login credentials and credit card information.

Freak attack

 

Pierluigi Paganini

(Security Affairs – mobile apps, FREAK)



you might also like

leave a comment