Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


FREAK Out on Mobile

  • Please log in to reply
1 reply to this topic

#1 NickAu


    Bleepin' Fish Doctor

  • Moderator
  • 13,721 posts
  • Gender:Male
  • Location: Australia
  • Local time:10:39 PM

Posted 17 March 2015 - 06:22 PM



Recent disclosure of the FREAK attack [1] raises security concerns on TLS implementations once again after Heartbleed [2]. However, freakattack.com devotes client-side security checks to various browsers only. In this blog, we examine iOS and Android apps for their security status against FREAK attacks as clients.

A FREAK attack “allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.”[1] For a FREAK attack to succeed, the server has to accept RSA_EXPORT cipher suites and the client has to allow temporary RSA keys in non-export ciphersuites. The attacker may therefore reduce the connection’s encryption strength for easier data theft.

As of March 4, both of the latest Android and iOS platforms are vulnerable to FREAK [3]. FREAK is both a platform vulnerability and an app vulnerability since both iOS and Android apps may contain vulnerable versions of the OpenSSL library themselves. Even after vendors patch Android and iOS, such apps are still vulnerable to FREAK when connecting to servers that accept RSA_EXPORT cipher suites. That’s why some iOS apps are still vulnerable to FREAK attack after Apple fixed the iOS FREAK vulnerability in iOS 8.2 [4] on March 9.

After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 (11.2%) of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers. These 1228 apps have been downloaded over 6.3 billion times. Of these 1228 Android apps, 664 use Android’s bundled OpenSSL library and 564 have their own compiled OpenSSL library. All these OpenSSL versions are vulnerable to FREAK.

On the iOS side, 771 out of 14,079 (5.5%) popular iOS apps connect to vulnerable HTTPS servers. These apps are vulnerable to FREAK attacks on iOS versions lower than 8.2. Seven these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.


BC AdBot (Login to Remove)


#2 Sintharius


    Bleepin' Sniper

  • Members
  • 5,639 posts
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:39 PM

Posted 18 March 2015 - 01:27 AM

Isn't this patched already? :blink:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users