Apple and Google freak out as SSL flaw hits thousands of apps

Android and iOS apps are still vulnerable to attacks exploiting the Freak SSL flaw, despite Apple and Google having issued patches.

Apple and Google freak out as SSL flaw hits thousands of apps
Apple and Google freak out as SSL flaw hits thousands of apps

New research from FireEye reveals that both platforms remain vulnerable as they run flawed versions of the OpenSSL library that is baked into both operating systems – meaning that an attacker could potentially carry out a Man-in-the-Middle (MiTM) attack to intercept any kind of data app transmit, such as health and fitness, medical, login credentials, credit card details, emails, text and photos.

In its analysis, the anti-malware vendor scanned nearly 11,000 apps on Android with one million downloads (equalling 6.3 billion downloads) and found that 1,228 of these were still vulnerable to attack through the Freak flaw, which was was introduced by US government in the 1990s, forcing exported products to run weakened and crackable encryption.

Of these 1,228, 664 apps use Android's bundled OpenSSL library and 564 have their own compiled OpenSSL library. All these OpenSSL versions are vulnerable to Freak.

On iOS, the numbers were much lower with just seven apps on iOS 8.2 vulnerable out of over 14,000 scanned, although another 764 apps not yet updated were also unsafe to the flaw.

“Even after vendors patch Android and iOS, such apps are still vulnerable to Freak when connecting to servers that accept RSA_EXPORT cipher suites. That's why some iOS apps are still vulnerable to Freak attack after Apple fixed the iOS Freak vulnerability in iOS 8.2 [4] on March 9,” said FireEye's threat researchers in a blog post.

“An attacker may launch a Freak attack using man-in-the-middle (MITM) techniques to intercept and modify the encrypted traffic between the mobile app and backend server. The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside.”

Speaking to SCMagazineUK.com earlier today, Jason Steer, chief security strategist EMEA, FireEye, said that the flaw is quite widespread, but he was not sure how common in-the-wild attacks are and added that other operating systems - in addition to iOS, Android and BlackBerry - may well be at risk too.

“We only looked at iOS and Android apps, however given that many of the developers will be using the same libraries, it is likely that we will see similar levels of vulnerability across Windows and Blackberry,” he said.

“Although this is a back end issue, it is important that consumers make better decisions in terms of what they download and what information they are giving away. It's crucial that consumers make updates to apps as soon as they are available as this will provide patches which will help stop vulnerabilities.”

The blog post concludes: “Mobile apps have become important front-ends and valuable targets for attackers. The Freak attack poses severe threats to the security and privacy of mobile apps. We encourage app developers and website admins to fix this issue as soon as possible.”

Philip Lieberman, CEO of Lieberman Software, added in an email to SCMagazineUK.com that Freak is not an easy attack to carry out, but could be used by governments for surveillance purposes.

“The Freak attack depends on a man-in-the-middle attack which makes it both easier and harder to pull off by an attacker.  If the attacker can set up a spoofed cell site or a tampered femto/ repeater site, they can accomplish the Freak attack with impunity given the devices allow it (common case).  Users are particularly vulnerable to the insertion of bogus cell sites and have limited to no ability to detect legitimate vs. tampered or hostile cell site. 

“In the case of governments that own or control cell networks, the Freak attack is a convenient way of covert interception of so-called encrypted data.  Users can use VPN access via a third-party provider, however few mobile users are configured to use their devices in that manner.  In some countries and under some circumstances, the use of VPN can be prohibited or illegal based on the countries national defence policies.”

Mark James, security specialist at ESET, added that iPhones – or other mobiles – are not the problem here: “The perception that iPhones are not susceptible to malware will be one of the big factors here. The iPhone itself is relatively safe (excluding enterprise provisioning or dodgy app stores) but the way data is exchanged and thus interrogated is the problem here,” he told SCMagazineUK.com. “Freak could enable a man-in-the-middle (MiTM) attack to intercept safe data and extract your personal information, which could then be used for other identify fraud based attacks.

“While the Android is susceptible to more malware type attacks the biggest problem is users' awareness of the dangers that mobile phones can present. We understand the importance of care when using a desktop but mobiles are not seen as that big a security risk, however as more and more of these attacks surface hopefully end users will understand the word ‘mobile' relates to mobile computer not mobile phone as previously thought.”