The problem emerges from the fact that the apps haven’t been fixed against the FREAK (Factoring) attack. This attack was identified on RSA-EXPORT keys by researchers on 13th March.
Researchers at FireEye, a security firm, didn’t identify the unpatched apps but their categories have been revealed as shopping, finance, business, communication, computer security and medicine.
The blog post from FireEye research team has exposed the way most recognizable flaws can take such a long time to get fixed. This definitely poses great risk for users of these apps because of the inefficiency of developers in fixing the flaws.
Moreover, researchers disclosed that a majority of software programs and web browsers are also vulnerable to FREAK. This flaw allows the downgrading of an SSL/TLS (Secure Sockets Layer/Transport Security Layer) encryption key to 512bits making it much weaker that the regular 2,048bit keys being used currently.
The flaws originate from the US government’s export restrictions that were implemented back in the 90s. The policy banned selling of software products overseas having strong encryption keys.
A wide range of products are required to fix FREAK and thus, it is very high profile vulnerability. Google and Apple have already patched their mobile OS but hundreds of apps also need upgrading.
FireEye researchers identified around 1,228 Google Play Android apps to be vulnerable out of the analyzed 10,985 apps. They also noted that these apps have already been downloaded a million times.
As far as iOS is concerned, out of 14,079 apps analyzed by FireEye, 771 were vulnerable but most of them were running on previous versions of iOS and the issue has been fixed in those that are compatible with version 8.2. However, seven of the version 8.2 apps were still found to be vulnerable.
FireEye reported: “The FREAK attack poses severe threats to the security and privacy of mobile apps. We encourage app developers and website admins to fix this issue as soon as possible.”