A recent study found that more than 2,000 apps in the Apple App Store and Google Play Store are still vulnerable to FREAK – a widespread security flaw discovered earlier this month. Attackers exploiting the vulnerability can intercept HTTPS connections between vulnerable users and servers, thus forcing them to use weakened encryption, which can then be broken or manipulated to steal sensitive data. The analysis revealed that after scanning nearly 11,000 of those most popular Google Play Android apps amounting to 6.3 billion downloads, 1,228 used a vulnerable OpenSSL library to connect to the vulnerable HTTPS servers. On a less severe scale, 771 (or 5.5 percent) of the 14,000 iOS apps scanned connected to vulnerable HTTPS servers. “FREAK is both a platform vulnerability and an app vulnerability, since both iOS and Android apps may contain vulnerable versions of the OpenSLL library themselves,” explained the group of security researchers. The researchers note that even when vendors rolled out updates to patch the bug, such as Apple's iOS 8.2 release on March 9, apps connecting to servers that accept RSA_EXPORT cipher suites are still left unsecured. “As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user’s login credentials and credit card information,” explained the researchers. Other apps in security- and privacy-sensitive categories include apps downloaded for medical tracking, productivity, finance, and photo and video. The security company did not disclose which apps in particular remained vulnerable.
“Mobile apps have become important frontends and valuable targets for attackers. We encourage app developers and website admins to fix this issue as soon as possible,” said the researchers.