Security Experts:

Webroot, Avira Patch Flaws in Mobile Security Apps

Avira and Webroot have updated their mobile security applications for iOS to address vulnerabilities that could have been exploited in man-in-the-middle (MitM) attacks.

Security researcher David Coomber has identified a SSL certificate vulnerability in Webroot Mobile Protection for iOS. The app, part of the SecureAnywhere Business suite, is designed to provide essential security for iPhones and iPads, and includes features that allow IT teams to manage and secure their mobile workforce from a central console.

According to an advisory published last week by Coomber, Webroot Mobile Protection versions 1.10.316 and prior don’t validate the SSL certificates received when connecting to secure websites.

This could allow an MitM attacker to inject a rogue SSL certificate into the victim’s session and silently intercept usernames, passwords, and other sensitive information.

The vulnerability was reported to Webroot on August 2 and it was patched on August 31 with the release of Webroot Mobile Protection 1.11.

In a statement sent to SecurityWeek on Tuesday, Webroot CMO David Duncan said users were not at risk.

“Webroot does not rely on SSL to protect user or threat information to BrightCloud. We long ago recognized that relying on SSLtransmit to protect user info would present a weakness. Webroot instead encrypts any sensitive data we transmit to the cloud using strong encryption with a 1024 bit key. This eliminates the need for SSL pinning,” Duncan explained. 

Coomber has identified a similar vulnerability in Avira Mobile Security for iOS, an app designed for email protection and lost device recovery.

Avira Mobile Security versions 1.5.7 and prior send login information via an HTTP POST request. This allows an MitM attacker to capture usernames, passwords and other sensitive information. According to the researcher, the password is hashed, but since the MD5 algorithm is used for the task, it’s easy for a malicious hacker to crack the password.

The researcher reported the flaw to Avira on July 17 and the security firm patched it on September 3 with the release of Avira Mobile Security 1.5.11.

Last week, researchers reported finding some serious vulnerabilities in products from Kaspersky and FireEye. Kaspersky managed to roll out a patch in less than 24 hours after Google security engineer Tavis Ormandy disclosed the flaw.

FireEye, on the other hand, is still analyzing the reported issues. The security firm said it only learned of the vulnerabilities on Monday, but the researcher who uncovered the flaws claims to have been trying to get the company’s attention for the past 18 months.

*Updated with statement from Webroot

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.