FREAK Out on Mobile

Recent disclosure of the FREAK attack [1] raises security concerns on TLS implementations once again after Heartbleed [2]. However, freakattack.com devotes client-side security checks to various browsers only. In this blog, we examine iOS and Android apps for their security status against FREAK attacks as clients.

A FREAK attack “allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.”[1] For a FREAK attack to succeed, the server has to accept RSA_EXPORT cipher suites and the client has to allow temporary RSA keys in non-export ciphersuites. The attacker may therefore reduce the connection’s encryption strength for easier data theft.

As of March 4, both of the latest Android and iOS platforms are vulnerable to FREAK [3]. FREAK is both a platform vulnerability and an app vulnerability since both iOS and Android apps may contain vulnerable versions of the OpenSSL library themselves. Even after vendors patch Android and iOS, such apps are still vulnerable to FREAK when connecting to servers that accept RSA_EXPORT cipher suites. That’s why some iOS apps are still vulnerable to FREAK attack after Apple fixed the iOS FREAK vulnerability in iOS 8.2 [4] on March 9.

After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 (11.2%) of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers. These 1228 apps have been downloaded over 6.3 billion times. Of these 1228 Android apps, 664 use Android’s bundled OpenSSL library and 564 have their own compiled OpenSSL library. All these OpenSSL versions are vulnerable to FREAK.

On the iOS side, 771 out of 14,079 (5.5%) popular iOS apps connect to vulnerable HTTPS servers. These apps are vulnerable to FREAK attacks on iOS versions lower than 8.2. Seven these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.

Vulnerability Stats

An attacker may launch a FREAK attack using man-in-the-middle (MITM) techniques to intercept and modify the encrypted traffic between the mobile app and backend server. The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside.

Table 1 plots the number of vulnerable Android and iOS apps in security- and privacy-sensitive categories. Less sensitive categories such as Sports and Games are not included here. As illustrated by the red bars, app developers are fixing the FREAK vulnerability. For Android apps, we further plotted the download numbers of vulnerable apps in those same categories in Table 2. The blue bars denote the download numbers of apps still vulnerable as of March 10.

Table 1. Number of apps vulnerable to FREAK

 

 

Table 2. Number of Android app downloads (logarithmic scale) vulnerable to FREAK

 

Attack Scenario

As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user’s login credentials and credit card information. Other sensitive apps include medical apps, productivity apps and finance apps. Figure 1 and Figure 2 show the clear text communications between the vulnerable app and its paired server after being decrypted by the attacker.

Figure 1. Decrypted login credentials

Figure 2. Decrypted credit card information

Mobile apps have become important frontends and valuable targets for attackers. The FREAK attack poses severe threats to the security and privacy of mobile apps. We encourage app developers and website admins to fix this issue as soon as possible.

References

[1] https://freakattack.com/

[2] http://heartbleed.com/

[3] http://www.engadget.com/2015/03/04/freak-flaw-ios-android-ssl-bug/

[4] https://support.apple.com/en-us/HT204423