FREAK seem vulnerable to thousands of the most popular applications on iOS and Android, at least according to a new report of security researchers from FireEye.
Security researchers from FireEye have recently discovered that many popular applications on iOS and Android would be vulnerable to FREAK (Factoring RSA-Export Keys), a vulnerability for some time and officially reappeared in recent weeks. The calculation would be well over a thousand, and only if they are considered the most popular of the App Store and Google Play.
Specifically, we find 1,288 app for Android among those who have passed the threshold of one million downloads, while on iOS are 771 among the first 14,079 of the App Store. On both platforms, apps vulnerable inviolable using cryptographic libraries to connect to the server with encryption keys weak, apparently still in use today.
FREAK is a vulnerability that we carry the 90s due to some rules of the previous American governments that required a low level of protection for software exported abroad. By exploiting the flaw, you can stick with a man-in-the-middle between server and client (such as a browser or an app), both vulnerable, setting a lower level of encryption to 512-bit to be able to get sensitive data stored in the systems.
In the case of iOS and Android app, ” you can execute an attack against a FREAK famous application for online shopping to steal log-in credentials of a user and the information of your credit card, ” wrote Zhang Yulong, Zhaofeng Chen, Hui Xue Tao and Wei in a post on the official blog of FireEye. ” Among the other apps are vulnerable software in the medical, financial and productive. ”
Although Apple has already introduced a fix on iOS 8.2 to eradicate the problem, 7 applications among the 771 reported by the security companies are vulnerable to FREAK even with the latest version of the operating system. In previous versions instead all 771 are still inviolable. FireEye but did not specify the titles of the app ” infected “, leaving the task to individual users to ask its developer if their data introduced are safe or not.