Hundreds of Android apps are still exposed to FREAK vulnerablility

According to network security company FireEye, about 1228 Android apps that have been downloaded 6.3 billion times from the Google Play store are still vulnerable to the FREAK bug.The company published research on Tuesday and mentioned that both Android and iOS apps are yet vulnerable to a FREAK attack.

FREAK authorizes attackers to force data traveling between a vulnerable website or operating system to servers to use weak encryption protocols. If it is integrated with a man-in-the-middle attack, it can obstruct and crack the data as the user is unintentionally using a lower level of encryption rather than trusted.

FireEye declares both of the latest Android and iOS platforms to be vulnerable to the security issue. Despite Google and Apple issued patches, these apps may still be vulnerable when connecting to servers that accept RSA_EXPORT cipher suites.

Researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen went through the Google Play app store in order to discover how severe the FREAK vulnerability could be until now. Around 10,985 popular apps have been scrutinized by the team with over one million downloads each and it has been found that 11.2 percent of them, 1,228 apps in total, are still vulnerable to the bug due to the reason that they “use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers.”

About 664 of these apps use Android’s bundled OpenSSL library and 554 count on custom libraries.
According to the security researchers, 771 out of 14,079 — 5.5 percent — of popular iOS apps are connected to vulnerable services and, therefore, are vulnerable to FREAK attacks on iOS versions below 8.2, which has been patched. Moreover 771 apps have their own vulnerable versions of OpenSSL and they are vulnerable on iOS 8.2.

“Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside,” FireEye said.FREAK may be a devastating attack as it could be used for to leak credentials and credit card information. Furthermore, “medical apps, productivity apps and finance apps” are also believed to be vulnerable.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Top 5 Techniques Hackers Use to hack Social Media Accounts

These days, Social Media have become a significant need in our everyday life. It encourages us to associate and connect with anyone over the...

5 Top Programming Languages for Hacking

We live in the 21st century, which is very fast-changing. This is a century of competition for information and computing resources. Every year the...

OSINT Tutorial to Track An Aircraft And Flight Information In Real-Time

No doubt Internet is said to be the world's largest repository of data and information. It contains an enormous amount of data related to...

Preventing SQL Injection in PHP Applications

SQL injection is one of the most common cybersecurity threats and as the name suggests, it is a form of injection attack. Injection attacks, on...