Even if you upgraded to iOS 8.2, you might not be safe from FREAK
If you think that you might be safe from the FREAK, or Factoring RSA Export Keys, exploit because you updated to iOS 8.2, think again. According to an AppleInsider report, security researchers at FireEye went through thousands of iOS and Android apps to see if they were vulnerable.
What those security researchers found is a bit frightening. Of the top 14,079 apps in the iOS App Store, 771 are open to attack. The vulnerable apps use affected cryptographic libraries to connect to servers with weak encryption keys. Those keys are still in use today.
“As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user’s login credentials and credit card information,” the FireEye researchers said. “Other sensitive apps include medical apps, productivity apps and finance apps.”
FREAK was discovered earlier in March, taking advantage of deprecated encryption protocols that are decades old. Malicious users are able to force an encryption downgrade to capture sensitive data and harvest it. Apple has issued patches for OS X, iOS, and Apple TV, but if you haven’t upgraded your hardware, you are still at risk. Even with the patches installed, seven of the 771 affected iOS apps are still vulnerable.
Users are currently able to choose between more than 1.2 million apps in the iOS App Store alone. Exactly how many of those apps are affected by the FREAK exploit is unknown, and FireEye was only able to test a small subset of the apps in the App Store. With that in mind, you should continue to be careful with your personal information while Apple and others work to shore up the holes caused by this ancient encryption technology.
