V3 Enterprise Mobility Summit: Apps developers are failing to install critical security patches, leaving millions of people open to man-in-the-middle attacks, according to McAfee Labs, part of Intel Security.
Researchers reported in the McAfee Labs Threats Report: February 2015 that a number of "popular" applications still do not include critical patches addressing the high profile BERserk and Heartbleed Secure Sockets Layer (SSL) flaws.
"Poor programming practices by these app developers expose their users to a variety of SSL/TLS vulnerabilities such as BERserk and Heartbleed," read the paper.
"We dynamically tested the top 25 downloaded mobile apps that had been identified as vulnerable by CERT in September to ensure that usernames and passwords are no longer visible as a result of improper verification of SSL certificates.
"To our surprise, even though CERT notified the developers months ago, 18 of the 25 most downloaded vulnerable apps that send credentials via insecure connections are still vulnerable to man-in-the-middle attacks."
Heartbleed is a flaw in the OpenSSL implementation of the Transport Layer Security protocol used by open source web servers such as Apache and Nginx, which host 66 percent of all sites.
BERserk is a critical vulnerability in the Mozilla NSS crypto library that could be exploited by hackers to forge RSA signatures.
McAfee said that one of the flawed applications had been downloaded hundreds of millions of times, representing a significant potential for harm.
"The most downloaded vulnerable app in this group is a mobile photo editor with between 100 million and 500 million downloads. The app allows users to share photos on several social networks and cloud services," read the paper.
"In late January, McAfee Labs tested the most current version of the app downloaded from Google Play and we were able to intercept the app's username and password credentials."
The apps' ongoing vulnerability to attack is particularly troubling as McAfee reported a 14 percent increase in mobile malware levels during the fourth quarter of 2014.
The figure means there are now over six million active mobile malware types targeting smartphone and tablet users in the wild.
The report highlighted a growth in potentially unwanted programs (PUPs) as another key threat facing mobile device users, claiming that there are 91 million such installations every day.
"The most common distribution techniques for PUPs include piggybacking on legitimate apps, social engineering, online ad hijacking, unintended installation of browser extensions and plug-ins, and forced installation along with legitimate apps," explained the report.
"They are hard to police because they don't exhibit the kind of malicious behaviour typically caught by security products. As this highlights, some PUP creators are becoming more sinister, so PUP policies must be frequently updated to ensure proper protection."
McAfee's research follows wider concerns about how smartphones and tablets can be used in the enterprise.
For guidance on how to safely deploy smartphones in business environments register to watch the 'How smartphones and tablets are putting your business at risk' video feature.
Also make sure to sign up for the full V3 Enterprise Mobility Summit to get access to all the latest research, analysis and expert comment on mobility.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software