A security company has analysed over 25,000 of the most popular apps on Android and iOS and found that over 2,000 of them are vulnerable to what is known as the Freak vulnerability. The research by FireEye reveals that despite a "fix" being issued by Apple for the flaw, millions of users remain at risk of man-in-the-middle attacks by hackers who could steal sensitive information such as passwords and banking details.
The problem boils down to the fact that the Freak flaw, which affects the OpenSSL protocol, is a platform vulnerability and an app vulnerability. The research firm has decided not to reveal the names of the affected apps.
The problem is slightly worse on Android than on iOS, with over 11% of the apps tested (those which had more that 1 million downloads) on Google's platform affected while 5.5% of the most popular apps on Apple's App Store are vulnerable.
"After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 (11.2%) of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers. On the iOS side, 771 out of 14,079 (5.5%) popular iOS apps connect to vulnerable HTTPS servers."
Apple said it patched the Freak vulnerability in the latest update to its iOS software released on 9 March, but according to FireEye iOS 8.2 is not a complete fix as seven of the 771 vulnerable apps "still have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2".
It means that even if Google does issue a fix for Freak on Android, the flaw will remain deeply embedded in multiple apps which use a vulnerable version of the OpenSSL library.
6.3 billion downloads
On Android, FireEye says the affected applications that been downloaded a total of 6.3 billion times, giving you a sense of the scale of the problem.
As you can see from the table on the right, the most vulnerable category is photo and video, followed by lifestyle, social networking and health and fitness.
To highlight just how hackers could use this flaw to carry out man-in-the-middle attacks, FireEye demonstrated just such an attack on a "popular shopping app".
FireEye has decided not to reveal which apps are vulnerable but you can be sure that following the publication of this report, hackers will be scouring the app stores to uncover just what the security company has.
Security expert Graham Cluley has the following advice:
"Presumably it won't take long before some of the higher profile vulnerable apps might become public knowledge, but in the meantime your best course of action may be to contact app developers and ask them if they have properly addressed the flaw."