Mobile app developers slow to address vulnerabilities: Report
25 Feb 2015
Even as malware and other security threats continue to plague mobile users, a new McAfee report reveals mobile app providers had been slow to address the most basic SSL vulnerabilities – improper digital certificate chain validation, digit.in reported.
In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University released a list of mobile apps with the weakness, which included apps with millions of downloads to their credit.
Further, revealing details on the increasingly popular Angler exploit kit, CERT warned of increasingly aggressive potentially unwanted programs (PUPs) that changed system settings and gathered personal information without the knowledge of users.
The new report comes shortly after the release of a similar report by F-Secure highlighting growth of malware and banking related threats for internet users in India.
During its testing of the 25 most popular apps on CERT's list of vulnerable mobile apps in January, that sent login credentials through insecure connections McAfee found that 18 still had not been patched despite public disclosure, vendor notification, and, in some cases, multiple version updates addressing concerns other than security.
Meanwhile PTI reported that cellphones with mobile apps could be potential target of cyber attacks globally and subscribers' data including usernames and passwords were at risk, security software maker McAfee said in the report.
The report said the most downloaded vulnerable app in this group was a mobile photo editor with between 100 million and 500 million downloads which allowed users to share photos on several social networks and cloud services.
"McAfee Labs researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third party services," it said.
Although there was no evidence that these mobile apps had been exploited, the cumulative number of downloads for these apps ranged into the hundreds of millions, according to the report.
"Given these numbers, McAfee Labs' findings suggest that the choice by mobile app developers to not patch the SSL vulnerabilities has potentially put millions of users at risk of becoming targets of MITM attacks," it added.