Sensitive apps with 6.3 Billion downloads found vulnerable to FREAK

Microsoft and Apple might have patched up their FREAK (Factoring RSA Export Keys) flaws, but there are still thousands of Android and Apple apps facing the same issue.

The apps could lose sensitive financial and privacy data, researchers say.

The flaw, dating back over a decade, is in encryption, stemming from a US government policy decision back in the 1990s which prohibited the use of strong encryption, and stipulated that a weaker standard (using only 512-bit cryptography, which is considered very poor these days) should be applied to products headed for customers in other countries. This was done for reasons of national security – i.e. spying.

FireEye researchers Yulong Zhang, Hui Xue, Tao Wei, and Zhaofeng Chen trawled the app stores and found 1228 Android offerings vulnerable to FREAK, The Register reports.

The apps had been downloaded 6.3 billion times in total.

"After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers," the team wrote in a report.

"An attacker may launch a FREAK attack using man-in-the-middle techniques to intercept and modify the encrypted traffic between the mobile app and backend server.

"The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside."

Researchers concluded that the FREAK exposure is not limited to browsers.