Hundreds of Android apps are still exposed to FREAK vulnerablility

According to network security company FireEye, about 1228 Android apps that have been downloaded 6.3 billion times from the Google Play store are still vulnerable to the FREAK bug.The company published research on Tuesday and mentioned that both Android and iOS apps are yet vulnerable to a FREAK attack.

FREAK authorizes attackers to force data traveling between a vulnerable website or operating system to servers to use weak encryption protocols. If it is integrated with a man-in-the-middle attack, it can obstruct and crack the data as the user is unintentionally using a lower level of encryption rather than trusted.

FireEye declares both of the latest Android and iOS platforms to be vulnerable to the security issue. Despite Google and Apple issued patches, these apps may still be vulnerable when connecting to servers that accept RSA_EXPORT cipher suites.

Researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen went through the Google Play app store in order to discover how severe the FREAK vulnerability could be until now. Around 10,985 popular apps have been scrutinized by the team with over one million downloads each and it has been found that 11.2 percent of them, 1,228 apps in total, are still vulnerable to the bug due to the reason that they “use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers.”

About 664 of these apps use Android’s bundled OpenSSL library and 554 count on custom libraries.
According to the security researchers, 771 out of 14,079 — 5.5 percent — of popular iOS apps are connected to vulnerable services and, therefore, are vulnerable to FREAK attacks on iOS versions below 8.2, which has been patched. Moreover 771 apps have their own vulnerable versions of OpenSSL and they are vulnerable on iOS 8.2.

“Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside,” FireEye said.FREAK may be a devastating attack as it could be used for to leak credentials and credit card information. Furthermore, “medical apps, productivity apps and finance apps” are also believed to be vulnerable.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Top 10 things to Do After Installing Kali Linux

Kali Linux is considered to be one of the best hacking distribution of this era, it is developed by Offensive Security to give an...

Become a spy in your own right with Xnspy Android spying app

Having become widely popular among parents and employers, spying apps have become quite the norm nowadays. Android spying apps have made it a lot...

e-Services Portals Potentially Expose Government Infrastructure to File-based Attacks

More and more users are embracing technology to perform their day-to-day activities. It’s not only private businesses that are forced to establish digital channels...

What is Nmap? How to use Nmap for Information Gathering

Nmap stands for Network Mapper, a powerful network scanning and host detection tool that is being used to perform reconnaissance in a very first...