Over 70% of the 25 most downloaded mobile apps identified as vulnerable to Man in the Middle attacks last year have still not been fixed, potentially affecting millions of users, according to McAfee.
The Intel Security vendor’s McAfee Labs Threats Report for February 2015 revisits Carnegie Mellon CERT research from last year which found that over 20,000 Android apps failed to validate SSL certificates via HTTPS properly, exposing them to MITM attacks.
The vendor said it tested the top 25 most downloaded of those affected apps recently and was surprised to find that 18 are still vulnerable to MITM, despite CERT’s public disclosure last year and the fact that, in some cases, the developer had since released new versions of the app.
Although there’s no suggestion that the apps are actively being targeted by MITM attackers, they could theoretically affect a huge user base. The most popular insecure app analyzed, for example, has been downloaded 100-500 million times, McAfee Labs revealed.
The data its researchers were able to steal via the attacks included log-ins for third party services like social network accounts and Microsoft OneDrive as well as “credentials that belong to their own systems and services.”
The firm had the following warning:
“We noted in the ‘McAfee Labs Threats Report: November 2014’ that open and commercial mobile malware source code is on the rise and predicted that mobile malware generation kits would soon be offered on the dark web. These off-the shelf products will lower the barrier of entry for would-be thieves and will, in effect, become cybercrime multipliers for mobile devices.
Couple our 2015 mobile security prediction with the continued exposure of popular apps to SSL vulnerabilities, and we have a recipe for significant theft by cybercriminals.”
McAfee urged users to “stop, think, connect” when considering which apps to download and access – that is, to be more discerning about which ones to choose and how much personal data to give up.
It added that users should ensure they don’t reuse credentials across multiple online accounts, and subscribe to updates from security players to keep an eye on the latest vulnerabilities.
Intel Security EMEA CTO, Raj Samani, argued that several factors might account for the continued lack of security updates in the affected apps.
“Certainly one of the likely factors will include the lack of secure coding skills, but equally commercial pressures and perhaps more worryingly the lack of market demand for security and privacy incorporated into mobile apps,” he told Infosecurity.
“Sadly previous examples of risky apps demonstrate that many consumers do not check the level of permissions requested by apps even when the capability is available.”