McAfee Report finds 18 of 25 Top Mobile Apps Reported Vulnerable in September 2014 Remain Unpatched
According to Intel Security released its McAfee Labs Threats Report: February 2015, mobile app providers have been slow to address the most basic SSL vulnerabilities: improper digital certificate chain validation. In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University released a list of mobile apps possessing this weakness, including apps with millions of downloads to their credit.
In January, McAfee Labs tested the 25 most popular apps on CERT’s list of vulnerable mobile apps that send login credentials through insecure connections and found that 18 still have not been patched despite public disclosure, vendor notification, and, in some cases, multiple version updates addressing concerns other than security. McAfee Labs researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third party services.
Although there is no evidence that these mobile apps have been exploited, the cumulative number of downloads for these apps ranges into the hundreds of millions. Given these numbers, McAfee Labs’ findings suggest that the choice by mobile app developers to not patch the SSL vulnerabilities has potentially put millions of users at risk of becoming targets of MITM attacks.
“Mobile devices have become essential tools for home to enterprises users as we increasing live our lives through these devices and the applications created to run on them ,” said Vincent Weafer, SVP of McAfee Labs, part of Intel Security. “Digital trust is an imperative for us to truly engage with and benefit from the functionality they can provide. Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programing practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them.”