Early in the month, details were published about a new SSL / TLS vulnerability that exists between vulnerable clients and servers called the FREAK attack. SSL, Secure Socket Layer, and TLS, Transport Layer Security, are systems and protocols that ensure privacy between communicating applications and users, or clients, on the Internet. FREAK is an exploit that allows an attacker to break into, steal or manipulate sensitive data. FREAK was discovered by Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. The FREAK attack is possible when a vulnerable browser connects to a susceptible web server; one that accepts export-grade encryption. Since the FREAK attack was disclosed, we’ve seen a website set up to raise awareness of the risk but at the time of writing, the FREAK site reports that, “more than a third of all servers with browser-trusted certificates are at risk.”
To bring this into the context of our Android devices, a report issued earlier this week from online security company FireEye highlights that over twelve hundred Android applications, downloaded over six billion times from the Google Play Store, are vulnerable to the FREAK bug. FireEye go on to state that the latest Android and iOS platforms are vulnerable to the security issue; FREAK is both a potential issue for both the platform and application depending on the connection. However, it should be said that the FireEye team did not check all applications but instead, the eleven thousand applications with over one million downloads each. In short, over eleven percent of applications have the bug because they “use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers.” Of these, 664 use the Android OpenSSL library and the remainder use custom libraries.
What sort of information could be at risk? FireEye give the example of an online shopping application whereby an attacker could steal login credentials and credit card information. Medical, productivity and finance applications may also be vulnerable. The gallery at the bottom of the article displays the total number of vulnerable Android and iOS applications, the vulnerable Android applications and their download totals. The third and fourth screenshots show the clear text communications between a vulnerable application and the paired server after being decrypted by the attacker. We’ve login credentials and credit card information available here.
FREAK seemingly follows closely with other high profile Internet security news stories, such as the Heartbleed. It’s great the developers and designers are working hard to secure these applications from attacks, but it seems that the online security arms race is far from over.