Mobile app makers are failing to patch critical secure socket layer (SSL) vulnerabilities, potentially leaving millions of mobile phone users at risk, warns McAfee Labs.
In its latest threat report, McAfee Labs also revealed details on the increasingly popular Angler exploit kit, and warned of increasingly aggressive potentially unwanted programs (PUPs) that change system settings and gather personal information without the knowledge of users.
McAfee Labs researchers found that mobile app providers have been slow to address the most basic SSL vulnerabilities: improper digital certificate chain validation. In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University released a list of mobile apps possessing this weakness, including apps with millions of downloads to their credit.
In January, McAfee Labs tested the 25 most popular apps on CERT’s list of vulnerable mobile apps that send login credentials through insecure connections and found that 18 still have not been patched despite public disclosure, vendor notification, and, in some cases, multiple version updates addressing concerns other than security.
McAfee Labs researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third party services.
Although there is no evidence that these mobile apps have been exploited, the cumulative number of downloads for these apps ranges into the hundreds of millions. Given these numbers, McAfee Labs’ findings suggest that the choice by mobile app developers to not patch the SSL vulnerabilities has potentially put millions of users at risk of becoming targets of MITM attacks.
“Mobile devices have become essential tools for home to enterprises users as we increasing live our lives through these devices and the applications created to run on them ,” said Vincent Weafer, SVP of McAfee Labs, part of Intel Security.