Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

FREAKish apps still have security holes

Glenn Fleishman | March 20, 2015
Apple patched iOS and OS X, but apps can still be vulnerable due to Apple's limited update policy.

The web security exploit known as FREAK that I discussed last week was patched by Apple days after it was discovered two weeks ago. FREAK relied on a configuration issue in web servers combined with a flaw for backwards compatibility in many software libraries used to create a secure connection. But the patch only affected Apple's operating systems--not all apps.

This highlights how apps can remain vulnerable due to developers' choices. And Apple's FREAK update only fixed the problem in iOS 8.2, OS X 10.8, 10.9, and 10.10. While I addressed part of that last week, there's more to say.

When apps attack--or are attacked
Researchers at FireEye noted in a blog post on Wednesday that while operating systems have been updated, their tests indicate that many Android and a handful of iOS apps rely on internal security code libraries, rather than using the security components in an OS.

FireEye tested nearly 11,000 popular Android apps in the official Google Play Store, and over 14,000 iOS apps. Of those tested, they discovered 1,228 Android apps and 771 iOS apps connect to secure servers that haven't yet (or may never) be updated to fix the server-side part of the FREAK exploit.

Android has it worse, as nearly half of the affected apps found build in encryption software rather than rely on Android, and are susceptible to FREAK. On the iOS, only seven apps bypass Apple's security framework are still vulnerable in iOS 8.2. All 771 apps remain vulnerable in all previous releases of iOS in which they still work.

While not all of those apps, Android or iOS, involve sensitive data, any program that uses a login or transfers private information--such as personal photos--can be a key to identity theft, harassment and extortion, and access to other services for which someone uses the same account name or email address and password.

If you like it, put a pin on it
Despite Apple's close scrutiny of app submissions, third-party software is allowed wide latitude in how it communicates to servers so long as Apple's rules about information privacy are upheld. (And even then, it's only when a breach happens or someone reports a problem that non-obvious issue are discovered.)

For instance, there's been growing concern for years about the ability of governments, criminals, and others to subvert the certificate system that underlies secure web, email, and other connections. Certificates are issued by hundreds of parties around the world, and operating systems and browsers use a cryptographic double-check to make sure that a secure website is what it is says it is. This validation prevents man-in-the-middle attacks.

FREAK allowed one form of attack by forcing a downgrade to an older form of encryption that could be cracked. Certificate authorities (CAs) that sign off on digital proofs have been hacked and subverted a few times in the last several years, and each time new safeguards have been put in place. But they're not all there yet.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.