V3 Enterprise Mobility Summit: Apps developers are failing to install critical security patches, leaving millions of people open to man-in-the-middle attacks, according to McAfee Labs, part of Intel Security.
Researchers reported in the McAfee Labs Threats Report: February 2015 that a number of "popular" applications still do not include critical patches addressing the high profile BERserk and Heartbleed Secure Sockets Layer (SSL) flaws.
"Poor programming practices by these app developers expose their users to a variety of SSL/TLS vulnerabilities such as BERserk and Heartbleed," read the paper.
"We dynamically tested the top 25 downloaded mobile apps that had been identified as vulnerable by CERT in September to ensure that usernames and passwords are no longer visible as a result of improper verification of SSL certificates.
"To our surprise, even though CERT notified the developers months ago, 18 of the 25 most downloaded vulnerable apps that send credentials via insecure connections are still vulnerable to man-in-the-middle attacks."
Heartbleed is a flaw in the OpenSSL implementation of the Transport Layer Security protocol used by open source web servers such as Apache and Nginx, which host 66 percent of all sites.
BERserk is a critical vulnerability in the Mozilla NSS crypto library that could be exploited by hackers to forge RSA signatures.
McAfee said that one of the flawed applications had been downloaded hundreds of millions of times, representing a significant potential for harm.
"The most downloaded vulnerable app in this group is a mobile photo editor with between 100 million and 500 million downloads. The app allows users to share photos on several social networks and cloud services," read the paper.
"In late January, McAfee Labs tested the most current version of the app downloaded from Google Play and we were able to intercept the app's username and password credentials."
The apps' ongoing vulnerability to attack is particularly troubling as McAfee reported a 14 percent increase in mobile malware levels during the fourth quarter of 2014.
The figure means there are now over six million active mobile malware types targeting smartphone and tablet users in the wild.
The report highlighted a growth in potentially unwanted programs (PUPs) as another key threat facing mobile device users, claiming that there are 91 million such installations every day.
"The most common distribution techniques for PUPs include piggybacking on legitimate apps, social engineering, online ad hijacking, unintended installation of browser extensions and plug-ins, and forced installation along with legitimate apps," explained the report.
"They are hard to police because they don't exhibit the kind of malicious behaviour typically caught by security products. As this highlights, some PUP creators are becoming more sinister, so PUP policies must be frequently updated to ensure proper protection."
McAfee's research follows wider concerns about how smartphones and tablets can be used in the enterprise.
For guidance on how to safely deploy smartphones in business environments register to watch the 'How smartphones and tablets are putting your business at risk' video feature.
Also make sure to sign up for the full V3 Enterprise Mobility Summit to get access to all the latest research, analysis and expert comment on mobility.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment