HTTPS-Crippling FREAK Exploit Hits Thousands of Android and iOS Apps
While almost all the attention paid to the HTTPS-crippling FREAK vulnerability has focused on browsers, consider this: thousands of Android and iOS apps, many with finance, shopping, and medical uses, are also vulnerable to the same exploit that decrypts passwords, credit card details, and other sensitive data sent between handsets and Internet servers.
Security researchers from FireEye recently examined the most popular apps on Google Play and the Apple App Store and found 1,999 titles that left users wide open to the encryption downgrade attack. Specifically, 1,228 Android apps with one million or more downloads were vulnerable, while 771 out of the top 14,079 iOS apps were susceptible. Vulnerable apps were those that used—or in the case of iOS, could use—an affected crypto library and connected to servers that offered weak, 512-bit encryption keys. The number of vulnerable apps would no doubt mushroom when analyzing slightly less popular titles.
“As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user’s login credentials and credit card information,” FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei wrote in a blog post scheduled to be published Tuesday afternoon. “Other sensitive apps include medical apps, productivity apps and finance apps.” The researchers provided the screenshots above and below, which reveal the plaintext data extracted from one of the vulnerable apps after it connected to its paired server.