Hundreds of iOS apps vulnerable to HTTPS-based FREAK attack
A report on Tuesday points out that a recent SSL/TLS vulnerability dubbed "FREAK" is not restricted to Web browsers and can affect mobile apps, leaving hundreds of iOS apps open to potential man-in-the-middle attacks.
Security researchers at FireEye recently went through thousands of iOS and Android apps and found that while a bulk are not vulnerable to the "FREAK" (Factoring RSA Export Keys) attack, a significant number are, reports Ars Technica.
Specifically, 771 of the top 14,079 apps in the iOS App Store are open to attack, while 1,288 Android apps with one million plus downloads are similarly vulnerable. According to researchers, vulnerable apps use affected crypto libraries to connect to servers with weak encryption keys, which are apparently still in use today.
"As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user's login credentials and credit card information," FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei said. "Other sensitive apps include medical apps, productivity apps and finance apps."
Following FREAK's discovery, Apple issued patches for OS X, iOS and Apple TV, though apps running on hardware without the latest security update may still be exposed. FireEye said seven of the 771 iOS apps affected are even vulnerable with Apple's patch installed.
Discovered earlier in March, the FREAK exploit takes advantage of legacy support for decades-old -- and deprecated -- SSL/TLS encryption protocols. Malicious users can force an encryption downgrade to intercept secure communications and harvest sensitive data.
Security researchers at FireEye recently went through thousands of iOS and Android apps and found that while a bulk are not vulnerable to the "FREAK" (Factoring RSA Export Keys) attack, a significant number are, reports Ars Technica.
Specifically, 771 of the top 14,079 apps in the iOS App Store are open to attack, while 1,288 Android apps with one million plus downloads are similarly vulnerable. According to researchers, vulnerable apps use affected crypto libraries to connect to servers with weak encryption keys, which are apparently still in use today.
"As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user's login credentials and credit card information," FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei said. "Other sensitive apps include medical apps, productivity apps and finance apps."
Following FREAK's discovery, Apple issued patches for OS X, iOS and Apple TV, though apps running on hardware without the latest security update may still be exposed. FireEye said seven of the 771 iOS apps affected are even vulnerable with Apple's patch installed.
Discovered earlier in March, the FREAK exploit takes advantage of legacy support for decades-old -- and deprecated -- SSL/TLS encryption protocols. Malicious users can force an encryption downgrade to intercept secure communications and harvest sensitive data.
Comments
Here you go. Let the trolls begin.
The nice thing is that iOS itself is still secure.
Here's to placing a small bet that the bulk of the vulnerable apps were written using craptastic cross-platform tools instead of native development.
The nice thing is that iOS itself is still secure.
It'll be nice if media outlets report it in such a way that the less-computer-literate
aren't encouraged to feel ?Pay is somehow compromised...
Users should always put these sensationalist seeking articles in the proper perspective. These are vulnerabilities, which does not imply that someone is actually engaged in exploiting these vulnerabilities. Plus, the article also adds a caveat that to be exploited the servers have to be using weak SSL encryption. What percentage of servers are we talking about and how much does that now lower the 7 number to something even smaller. When all is said and done I'd bet that more iPhones get dropped in toilets than get impacted by this vulnerability. I expect that there are far worse vulnerabilities in the NSA's cache of cyberweapons that make this one seem insignificant. I'm not going to lose any sleep over this one.
The article doesn't give quantifiable data that indicates the percentage of vulnerable apps using a measurable scale that applies equally to iOS and Android. Not sure why, but raises doubts about their credibility.
Funny how nobody ever says this when it's a competing OS.
Exactly.
I hate cross-platform apps with a vengeance.
A report on Tuesday points out that a recent SSL/TSL vulnerability dubbed "FREAK" is not restricted to Web browsers and can affect mobile apps, leaving hundreds of iOS apps open to potential man-in-the-middle attacks.
Security researchers at FireEye recently went through thousands of iOS and Android apps and found that while a bulk are not vulnerable to the "FREAK" (Factoring RSA Export Keys) attack, a significant number are, reports Ars Technica.
Specifically, 771 of the top 14,079 apps in the iOS App Store are open to attack, while 1,288 Android apps with one million plus downloads are similarly vulnerable. According to researchers, vulnerable apps use affected crypto libraries to connect to servers with weak encryption keys, which are apparently still in use today.
"As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user's login credentials and credit card information," FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei said. "Other sensitive apps include medical apps, productivity apps and finance apps."
Following FREAK's discovery, Apple issued patches for OS X, iOS and Apple TV, though apps running on hardware without the latest security update may still be exposed. FireEye said seven of the 771 iOS apps affected are even vulnerable with Apple's patch installed.
Discovered earlier in March, the FREAK exploit takes advantage of legacy support for decades-old -- and deprecated -- SSL/TSL encryption protocols. Malicious users can force an encryption downgrade to intercept secure communications and harvest sensitive data.
This is a ridiculously easy fix. Don't allow downgrade even when the site asks for it. All the apps that use system libraries are fixed by going to 8.2.
Also, some of those apps are theoretically vulnerable, but not really vulnerable, since if the end point doesn't allow a downgrade, they're safe; so if you're connecting to a known site that got configured to too not allow the downgrade (which should be the case, since otherwise this site would not be able to connect with a patched app) you're safe unless someone spoofs that site completely. If they do that, they probably don't need that bug anyway to get you to give them access.
What remains are apps that allow the downgrade but can connect to any web site. These would be the ones most vulnerable. I'd say they're probably a very small number. Keeping to trusted sites is one way to avoid this issue; but, the devellopper can avoid this issue by doing the simple fix.
Funny how nobody ever says this when it's a competing OS.
Because when you have crap OS security like in Android which is a malware haven, even comparing its issues to this, an application level bug that's fixed in 8.2 in anyone using standard IOS libraries, means that person has no understanding of security at all and is just having their jollies because Apple was mentioned somewhere in the headline. This is especially funny since this bug had a even bigger effect on Android apps since most won't even get the fix.
If an application transmits your password in the clear to a web site, which is an extreme form of what's happening here, not sure how this is IOS's or Apple's fault. The issue is well known. If the app maker is too lazy to do the quick fix, what can Apple do? Pull the app? Is Apple responsible for every security bug in the apps in the app store?
This fallback was part of the initial standard, it is not even a bug in the traditional sense of the word; more a broken as designed issue. Faster computers have allowed this issue to slowly emerge over time.
What happened to proper reporting. The title should say something like "Upgrade to iOS 8.2 NOW and you will only have 7 apps vulnerable to FREAK attack versus hundreds"
This is why you use the built-in libraries instead of rolling your own.
Here's to placing a small bet that the bulk of the vulnerable apps were written using craptastic cross-platform tools instead of native development.
If they are using https:// then I think they have to use WebKit or the app will not be accepted.
Plus, the article also adds a caveat that to be exploited the servers have to be using weak SSL encryption. What percentage of servers are we talking about and how much does that now lower the 7 number to something even smaller.
There is no direct relationship between the number of unpatched servers and the 7 really bad apps. The number 7 does not get lowered.
What happened to proper reporting. The title should say something like "Upgrade to iOS 8.2 NOW and you will only have 7 apps vulnerable to FREAK attack versus hundreds"
Many people are using old hardware and can't upgrade to the latest OS.
I don't see anyone blaming Apple. This vulnerability is affecting Android as well. I think you're reading just a little too much into it.
If an application transmits your password in the clear to a web site, which is an extreme form of what's happening here,
That is not what is happening here.
It takes three things to accomplish a hack with this exploit:
1) Unpatched server
2) Man in the middle
3) Old browser
It is completely platform agnostic.
The fact that the credentials are still being transferred with SSL means it is not a password in the clear, just old SSL.
Because when you have crap OS security like in Android which is a malware haven, even comparing its issues to this, an application level bug, means that person has no understanding of security at all and is just having their jollies because Apple was mentioned somewhere in the headline.
If an application transmits your password in the clear to a web site, which is an extreme form of what's happening here, not sure how this is IOS's or Apple's fault. The issue is well known. If the app maker is too lazy to do the quick fix, what can Apple do? Pull the app? Is Apple responsible for every security bug in the apps in the app store?
This fallback was part of the initial standard, it is not even a bug in the traditional sense of the word; more a broken as designed issue. Faster computers have allowed this issue to slowly emerge over time.
That is not what is happening here.
It takes three things to accomplish a hack with this exploit:
1) Unpatched server
2) Man in the middle
3) Old browser
It is completely platform agnostic.
The fact that the credentials are still being transferred with SSL means it is not a password in the clear, just old SSL.
I know that this is not what's happening here. I was saying that using this bit of code, was similar in result (in spirit, not reality) to sending in the clear. Maybe that wasn't clear in my sentence.
The man in the middle here intercepts the initial handshake and replaces it with one asking for a security downgrade, which the missconfigured web server allows, the key is broken, "mayhem" issues ;-).
You don't think it's prudent to list those 7 apps on this Apple blog?
Hmm. According to the article some of the vulnerable apps only connect to a single dedicated server and are only vulnerable if the server is allowing weak encryption keys. If the server does not allow weak keys I suppose that would break the app, so I guess the number of bad apps stays at 7 but the threat of data interception is reduced due to app breakage. In any case these are small numbers and small percentages and Apple has an active patching model to reduce the vulnerability quickly compared to other carrier dependent platforms.
The app programmers will likely upgrade their apps ASAP... no sense having the world stop buying their apps long after the app's been fixed.