Hundreds of Android apps are still exposed to FREAK vulnerablility
According to network security company FireEye, about 1228 Android apps that have been downloaded 6.3 billion times from the Google Play store are still vulnerable to the FREAK bug.The company published research on Tuesday and mentioned that both Android and iOS apps are yet vulnerable to a FREAK attack.
FREAK authorizes attackers to force data traveling between a vulnerable website or operating system to servers to use weak encryption protocols. If it is integrated with a man-in-the-middle attack, it can obstruct and crack the data as the user is unintentionally using a lower level of encryption rather than trusted.
FireEye declares both of the latest Android and iOS platforms to be vulnerable to the security issue. Despite Google and Apple issued patches, these apps may still be vulnerable when connecting to servers that accept RSA_EXPORT cipher suites.
Researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen went through the Google Play app store in order to discover how severe the FREAK vulnerability could be until now. Around 10,985 popular apps have been scrutinized by the team with over one million downloads each and it has been found that 11.2 percent of them, 1,228 apps in total, are still vulnerable to the bug due to the reason that they "use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers."
About 664 of these apps use Android's bundled OpenSSL library and 554 count on custom libraries.
According to the security researchers, 771 out of 14,079 -- 5.5 percent -- of popular iOS apps are connected to vulnerable services and, therefore, are vulnerable to FREAK attacks on iOS versions below 8.2, which has been patched. Moreover 771 apps have their own vulnerable versions of OpenSSL and they are vulnerable on iOS 8.2.
"Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside," FireEye said.FREAK may be a devastating attack as it could be used for to leak credentials and credit card information. Furthermore, "medical apps, productivity apps and finance apps" are also believed to be vulnerable.
FREAK authorizes attackers to force data traveling between a vulnerable website or operating system to servers to use weak encryption protocols. If it is integrated with a man-in-the-middle attack, it can obstruct and crack the data as the user is unintentionally using a lower level of encryption rather than trusted.
FireEye declares both of the latest Android and iOS platforms to be vulnerable to the security issue. Despite Google and Apple issued patches, these apps may still be vulnerable when connecting to servers that accept RSA_EXPORT cipher suites.
Researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen went through the Google Play app store in order to discover how severe the FREAK vulnerability could be until now. Around 10,985 popular apps have been scrutinized by the team with over one million downloads each and it has been found that 11.2 percent of them, 1,228 apps in total, are still vulnerable to the bug due to the reason that they "use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers."
About 664 of these apps use Android's bundled OpenSSL library and 554 count on custom libraries.
According to the security researchers, 771 out of 14,079 -- 5.5 percent -- of popular iOS apps are connected to vulnerable services and, therefore, are vulnerable to FREAK attacks on iOS versions below 8.2, which has been patched. Moreover 771 apps have their own vulnerable versions of OpenSSL and they are vulnerable on iOS 8.2.
"Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside," FireEye said.FREAK may be a devastating attack as it could be used for to leak credentials and credit card information. Furthermore, "medical apps, productivity apps and finance apps" are also believed to be vulnerable.
