Hundreds of Android apps are still exposed to FREAK vulnerablility

According to network security company FireEye, about 1228 Android apps that have been downloaded 6.3 billion times from the Google Play store are still vulnerable to the FREAK bug.The company published research on Tuesday and mentioned that both Android and iOS apps are yet vulnerable to a FREAK attack.

FREAK authorizes attackers to force data traveling between a vulnerable website or operating system to servers to use weak encryption protocols. If it is integrated with a man-in-the-middle attack, it can obstruct and crack the data as the user is unintentionally using a lower level of encryption rather than trusted.

FireEye declares both of the latest Android and iOS platforms to be vulnerable to the security issue. Despite Google and Apple issued patches, these apps may still be vulnerable when connecting to servers that accept RSA_EXPORT cipher suites.

Researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen went through the Google Play app store in order to discover how severe the FREAK vulnerability could be until now. Around 10,985 popular apps have been scrutinized by the team with over one million downloads each and it has been found that 11.2 percent of them, 1,228 apps in total, are still vulnerable to the bug due to the reason that they “use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers.”

About 664 of these apps use Android’s bundled OpenSSL library and 554 count on custom libraries.
According to the security researchers, 771 out of 14,079 — 5.5 percent — of popular iOS apps are connected to vulnerable services and, therefore, are vulnerable to FREAK attacks on iOS versions below 8.2, which has been patched. Moreover 771 apps have their own vulnerable versions of OpenSSL and they are vulnerable on iOS 8.2.

“Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside,” FireEye said.FREAK may be a devastating attack as it could be used for to leak credentials and credit card information. Furthermore, “medical apps, productivity apps and finance apps” are also believed to be vulnerable.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

OSINT Tutorial to Discover Antivirus of the Target

This OSINT tutorial demonstrates the "RECON-NG tool" on Kali Linux. It discovers the type of Anti-Virus software (AV) the victim is running on their...

Cracking Password Protected ZIP, RAR & PDF using Zydra

Having confidential documents on a system, like a pdf of financial data or a zip including personal images and videos, ensure they're password-protected so...

Four Ways SASE is Revolutionizing Network Security 

Are you interested in a network that offers amazing security features without compromising high-speed performance? With SASE, you don't have to settle for less....

Protect Your Account From Being Hacked While Online Banking on a Public Network

An online account is an account that you register to access or use a website or application. Indeed you have an online account such...