Intel Security’s McAfee Labs is reporting that the vast majority of the most popular mobile apps found to be vulnerable to man-in-the-middle attacks (MitM) attacks in research performed last year remain exposed to attacks.
The McAfee report revisits an analysis performed by Carnegie Mellon University’s Computer Emergency Response Team (CERT). In September, CERT revealed that more than 20,000 Android applications failed to validate SSL certificates, leaving users vulnerable to attackers. A spreadsheet of the affected applications can be found here.
According to McAfee Labs, nearly three-quarters of the 25 most downloaded apps on CERT’s list are still unpatched.
“Specifically, we dynamically tested the top 25 downloaded mobile apps that had been identified as vulnerable by CERT in September to ensure that usernames and passwords are no longer visible as a result of improper verification of SSL certificates,” according to the McAfee report. “To our surprise, even though CERT notified the developers months ago, 18 of the 25 most downloaded vulnerable apps that send credentials via insecure connections are still vulnerable to MITM attacks.”
“The most downloaded vulnerable app in this group is a mobile photo editor with between 100 million and 500 million downloads,” the report continues. “The app allows users to share photos on several social networks and cloud services. In late January, McAfee Labs tested the most current version of the app downloaded from Google Play using CERT Tapioca; we were able to intercept the app’s username and password credentials entered to log into the cloud service to share and publish photos.”
While the researchers did not find evidence that these apps had been exploited, the cumulative number of downloads for the apps ranges into the hundreds of millions.
“Mobile devices have become essential tools for home to enterprises users as we increasing live our lives through these devices and the applications created to run on them,” said Vincent Weafer, senior vice president of McAfee Labs, part of Intel Security, in a statement. “Digital trust is an imperative for us to truly engage with and benefit from the functionality they can provide. Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programming practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them.”
The latest findings were included in the McAfee Labs Threat Report: February 2015, which also revealed that mobile malware samples jumped 14 percent during the final quarter of 2014. Asia and Africa led the way with the highest infection rates. In addition, at least eight percent of all McAfee-monitored mobile systems reported an infection in the fourth quarter of last year, with much of the activity tied to the AirPush ad network.
In addition to mobile security, the report also touched on the growth of the Angler exploit kit, which grew in popularity among attackers in the second half of 2014. The full report can be read here.