Some iOS apps can also be exploited, despite Apple’s patch

Mar 18, 2015 10:26 GMT  ·  By

A total of 1,999 popular iOS and Android apps used for financial, social networking, shopping or communication are susceptible to the FREAK attack that weakens the encryption used for protecting the traffic to the server.

Attackers intercepting secure connections (HTTPS) between vulnerable clients and servers can force the communication to be encrypted with a 512-bit RSA key that can be broken in a matter of hours and little financial effort ($100 / €94 for renting cloud computing power).

Root of the problem is use of vulnerable OpenSSL

Security researchers at FireEye have analyzed 10,985 apps in Google Play, each with at least one million downloads, and discovered that 1,228 were vulnerable to the FREAK (Factoring RSA Export Keys) attack made public at the beginning of the month.

This is a result of using a vulnerable build of OpenSSL cryptographic library, either the one included in Android (Google has yet to update the OS with a safe revision) or a version bundled into the app.

Researchers say that 664 of the discovered vulnerable apps rely on the OpenSSL provided by Android, while the rest of 564 work with their own version of the library.

Things are slightly better on iOS as FireEye found only 771 apps out of 14,079 that contacted vulnerable servers. Thanks to the patch from Apple on March 9 that fixed the flaw in Secure Transport, all these products can be exploited in iOS earlier than 8.2.

Researchers decrypt sensitive data

However, seven of the apps do not use Apple’s Secure Transport for traffic encryption and rely on an older OpenSSL, which makes them vulnerable even if the latest operating system update has been installed on the device.

According to a FireEye blog post on Tuesday, the mobile software currently affected by the FREAK vulnerability are from categories ranging from photo and video, lifestyle, social networking, and health and fitness to finance, communication, shopping and business.

All these contain sensitive information such as account log-in credentials, data related to online banking or productivity, as well as medical details.

The researchers also provided attack scenarios where they managed to extract log-in and credit card info from apps affected by the FREAK vulnerability.

Log-in credentials uncovered
Log-in credentials uncovered

Photo Gallery (2 Images)

Researchers manage decrypt credit card information
Log-in credentials uncovered
Open gallery