Security company FireEye recently examined iOS and Android apps to determine whether they are vulnerable to the recently publicized FREAK attack. FREAK is a security flaw that allows a 2,048-bit SSL/TLS (Secure Sockets Layer/Transport Security Layer) encryption key to be downgraded to a weaker 512-bit key.
Via a man-in-the-middle attack, a hacker can use the FREAK expolit to intercept HTTPS connections and force the vulnerable clients to use the weakened form of encryption. Once compromised, the hacker potentially can access the sensitive data being transmitted via HTTPS.
Apple fixed the iOS FREAK vulnerability in iOS 8.2, but some apps remain vulnerable as they utilize their own OpenSSL libraries and connect to servers that remain unpatched. FireEye examined more than 14,000 popular iOS apps and found that 5.5% remain vulnerable to a FREAK attack.
On the iOS side, 771 out of 14,079 (5.5%) popular iOS apps connect to vulnerable HTTPS servers. These apps are vulnerable to FREAK attacks on iOS versions lower than 8.2. Seven these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.
Our take on the news:
App developers are slowly patching their apps, but the pace can be slow. This can put customers at risk when developers ignore or are slow to respond to these security threats.