Millions of iOS and Android mobile applications are still vulnerable to the Freak flaw, despite the availability of patch fixes, according to FireEye researchers.
Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen reported in a threat advisory that Android was the most affected mobile operating system, warning that more than 10 percent of apps may still be vulnerable to Freak.
"Even after vendors patch Android and iOS, such apps are still vulnerable to Freak when connecting to servers that accept RSA_EXPORT cipher suites," read the advisory.
"After scanning 10,985 popular Google Play Android apps with more than one million downloads each, we found 1,228 (11.2 percent) of them are vulnerable to a Freak attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS serversm" they wote.
"These 1228 apps have been downloaded over 6.3 billion times. Of these 1228 Android apps, 664 use Android’s bundled OpenSSL library and 564 have their own compiled OpenSSL library. All these OpenSSL versions are vulnerable to FREAK."
The situation on iOS is not much better, the researchers noted:
"On the iOS side, 771 out of 14,079 (5.5 percent) popular iOS apps connect to vulnerable HTTPS servers. These apps are vulnerable to Freak attacks on iOS versions lower than 8.2. Seven of these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2."
Google declined V3's request for comment on FireEye's research. Apple had not replied at the time of publishing.
Freak is a cross-platform flaw in SSL/TLS protocols that could be exploited to intercept and decrypt HTTPS connections between vulnerable clients and servers.
The FireEye researchers warned the flaw is particularly dangerous as it could be exploited by hackers for a variety of purposes.
"An attacker may launch a Freak attack using man-in-the-middle techniques to intercept and modify the encrypted traffic between the mobile app and back-end server. The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking," read the advisory.
"As an example, an attacker can use a Freak attack against a popular shopping app to steal a user's login credentials and credit card information. Other sensitive apps include medical apps, productivity apps and finance apps."
The Freak flaw affects numerous systems outside of iOS and Android. BlackBerry admitted the Freak flaw affected its devices and services earlier this week.
Microsoft released a massive fix for Freak across its portfolio of services during its March Patch Tuesday.
Open source solutions provider makes acquisition in bid to shore up cloud development tools business
Aims to "end data bottlenecks"
Looking to boost your career in IT? Here are the best-earning roles out there!
The BlackBerry KeyOne is a strange device that brings the best of BlackBerry and Android together in a Qwerty-equipped package, but it won't be for everyone