Recent disclosure of the FREAK attack  raises security concerns on TLS implementations once again after Heartbleed . However, freakattack.com devotes client-side security checks to various browsers only. In this blog, we examine iOS and Android apps for their security status against FREAK attacks as clients.
A FREAK attack “allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.” For a FREAK attack to succeed, the server has to accept RSA_EXPORT cipher suites and the client has to allow temporary RSA keys in non-export ciphersuites. The attacker may therefore reduce the connection’s encryption strength for easier data theft.
As of March 4, both of the latest Android and iOS platforms are vulnerable to FREAK . FREAK is both a platform vulnerability and an app vulnerability since both iOS and Android apps may contain vulnerable versions of the OpenSSL library themselves. Even after vendors patch Android and iOS, such apps are still vulnerable to FREAK when connecting to servers that accept RSA_EXPORT cipher suites. That’s why some iOS apps are still vulnerable to FREAK attack after Apple fixed the iOS FREAK vulnerability in iOS 8.2  on March 9.
After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 (11.2%) of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers. These 1228 apps have been downloaded over 6.3 billion times. Of these 1228 Android apps, 664 use Android’s bundled OpenSSL library and 564 have their own compiled OpenSSL library. All these OpenSSL versions are vulnerable to FREAK.
On the iOS side, 771 out of 14,079 (5.5%) popular iOS apps connect to vulnerable HTTPS servers. These apps are vulnerable to FREAK attacks on iOS versions lower than 8.2. Seven these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.