Security Experts:

Connect with us

Hi, what are you looking for?



Webroot, Avira Patch Flaws in Mobile Security Apps

Avira and Webroot have updated their mobile security applications for iOS to address vulnerabilities that could have been exploited in man-in-the-middle (MitM) attacks.

Avira and Webroot have updated their mobile security applications for iOS to address vulnerabilities that could have been exploited in man-in-the-middle (MitM) attacks.

Security researcher David Coomber has identified a SSL certificate vulnerability in Webroot Mobile Protection for iOS. The app, part of the SecureAnywhere Business suite, is designed to provide essential security for iPhones and iPads, and includes features that allow IT teams to manage and secure their mobile workforce from a central console.

According to an advisory published last week by Coomber, Webroot Mobile Protection versions 1.10.316 and prior don’t validate the SSL certificates received when connecting to secure websites.

This could allow an MitM attacker to inject a rogue SSL certificate into the victim’s session and silently intercept usernames, passwords, and other sensitive information.

The vulnerability was reported to Webroot on August 2 and it was patched on August 31 with the release of Webroot Mobile Protection 1.11.

In a statement sent to SecurityWeek on Tuesday, Webroot CMO David Duncan said users were not at risk.

“Webroot does not rely on SSL to protect user or threat information to BrightCloud. We long ago recognized that relying on SSLtransmit to protect user info would present a weakness. Webroot instead encrypts any sensitive data we transmit to the cloud using strong encryption with a 1024 bit key. This eliminates the need for SSL pinning,” Duncan explained. 

Coomber has identified a similar vulnerability in Avira Mobile Security for iOS, an app designed for email protection and lost device recovery.

Avira Mobile Security versions 1.5.7 and prior send login information via an HTTP POST request. This allows an MitM attacker to capture usernames, passwords and other sensitive information. According to the researcher, the password is hashed, but since the MD5 algorithm is used for the task, it’s easy for a malicious hacker to crack the password.

The researcher reported the flaw to Avira on July 17 and the security firm patched it on September 3 with the release of Avira Mobile Security 1.5.11.

Last week, researchers reported finding some serious vulnerabilities in products from Kaspersky and FireEye. Kaspersky managed to roll out a patch in less than 24 hours after Google security engineer Tavis Ormandy disclosed the flaw.

FireEye, on the other hand, is still analyzing the reported issues. The security firm said it only learned of the vulnerabilities on Monday, but the researcher who uncovered the flaws claims to have been trying to get the company’s attention for the past 18 months.

*Updated with statement from Webroot

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.