Sensitive apps with 6.3 BILLION downloads found open to FREAK
Banking, medical, and privacy apps join shoddy cipher list
Thousands of Android and Apple apps could lose sensitive financial and privacy data through exposure to the FREAK vulnerability, researchers say.
The FREAK (Factoring RSA Export Keys) attack allowed sensitive data to be stolen before encrypted connections are secured by requesting weak export-grade 512-bit RSA keys.
FireEye researchers Yulong Zhang, Hui Xue, Tao Wei, and Zhaofeng Chen crawled the app stores and found 1228 Android offerings vulnerable to FREAK.
The apps had been downloaded 6.3 billion times in total.
"After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers," the team wrote in a report.
"An attacker may launch a FREAK attack using man-in-the-middle techniques to intercept and modify the encrypted traffic between the mobile app and backend server.
"The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside."
Exposed and patched (1) iOS and (2) Android apps
They found 771 popular Apple apps of a pool of 14,079 were vulnerable on iOS versions below 8.2. Seven unnamed offerings remained exposed on all iOS platforms due to the use of custom vulnerable versions of OpenSSL.
The research which excludes games and sports apps that had little sensitive information to lose illustrates that the FREAK exposure is not confined to browsers.
FireEye published example attack scenarios and urges developers to fix their exposed apps adding that apps are valuable targets.
The work comes as BlackBerry joined the infamous list of FREAK vendors publishing a list of vulnerable software and promising fixes.
The company says exposed wares include BlackBerry 10 and 7.1-and-earlier OSs, various versions of its Enterprise Server, ditto BlackBerry Messenger on Windows, iOS and Android. ®