iOS, Android Apps Still at Risk From FREAK Attacks
FireEye research shows that both iOS and Android remain at risk from the FREAK SSL/TLS vulnerability.On March 3, news first broke about the Factoring attack on RSA-EXPORT Keys (FREAK) attack against Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption. Two weeks after that initial disclosure, security firm FireEye has found that both Apple iOS and Google Android apps are still at risk. FREAK, also identified as CVE-2015-0204, is a cryptographic weakness in export-grade cryptography that can be used for SSL/TLS. FireEye scanned 10,985 Android apps that had 1 million or more downloads and found that 1,228 of them were at risk from FREAK. The story for Apple iOS apps is somewhat better, with only seven apps out of 14,079 apps tested found to be vulnerable to FREAK, so long as the user is running iOS 8.2. Apple released iOS 8.2 on March 9, providing a fix for FREAK at the operating system layer. FireEye found that 771 iOS apps were vulnerable on Apple devices not running IOS 8.2. SSL/TLS connections rely on cryptographic libraries present on both end-user devices as well as the back-end server. "We evaluated both client-side OpenSSL implementations and server-side SSL configurations to determine whether the app is vulnerable to FREAK," Tao Wei, senior research scientist at FireEye, told eWEEK.
The risk with FREAK is that it can be leveraged by an attacker in a man-in-the-middle (MiTM) attack, in which the attacker is able to intercept traffic between vulnerable clients and servers. FREAK is a weakness in implementations of SSL/TLS that may allow an attacker to decrypt secure communications, according to Wei.