Security experts have warned that 2,000 Android and iOS apps are still vulnerable to the much publicized FREAK flaw over a fortnight after it was first disclosed, exposing billions of users to data loss.
FireEye researchers scanned 10,985 Google Play Android apps with more than one million downloads each and found 1,228 (11.2%) were still vulnerable to FREAK.
These apps have been downloaded over 6.3 billion times, they said in a blog post.
When it comes to iOS, 771 out of 14,079 (5.5%) popular apps were affected, although most of them only on versions of the OS earlier than the patched 8.2. Just seven of them remain vulnerable on the new OS, FireEye said.
It should be noted that the security vendor conducted these tests on 10 March, so the numbers of affected apps may have dropped by now.
“FREAK is both a platform vulnerability and an app vulnerability since both iOS and Android apps may contain vulnerable versions of the OpenSSL library themselves,” FireEye explained.
“Even after vendors patch Android and iOS, such apps are still vulnerable to FREAK when connecting to servers that accept RSA_EXPORT cipher suites.”
Apps in the 'photo and video' category appeared to be most affected, followed by 'lifestyle,' 'social networking,' 'finance,' and 'health and fitness.'
FireEye claimed an attacker could exploit FREAK via a vulnerable shopping app to steal log-in credentials and credit card details, for example.
Medical, financial and other personal details are also potentially at risk, it said.
“Mobile apps have become important front ends and valuable targets for attackers,” FireEye concluded. “The FREAK attack poses severe threats to the security and privacy of mobile apps. We encourage app developers and website admins to fix this issue as soon as possible.”
FREAK was first publicized on 3 March. Although the attack is far from straightforward, it was patched swiftly by the likes of Apple, Google and Microsoft.
To work, it requires an attacker to have access to the traffic flowing between an affected client and server. If they manage to launch a successful MITM, they could inject code forcing both sides to use weak 512-bit crypto, which can be easily cracked.
After that, passwords and other personal info are effectively exposed to the hacker, to steal or launch additional attacks against the targeted site.
Jason Steer, chief security strategist EMEA at FireEye, argued that FREAK isn’t hard for developers to fix, but awareness of the flaw may be an issue.
“Most developers are not security experts, and therefore bundle in code libraries assuming they are good enough to do the job without being fully aware of the possible security implications,” he told Infosecurity by email.
“Our recent mobile security report highlighted that mobile apps are a major threat vector today so we need to get better at building apps with security factored in right from the start, not as an afterthought.”