McAfee: Mobile Developers' Failure To Patch Mobile App Vulnerabilities Puts Millions of Users At Risk

26 February 2015, 3:22 am EST By Anu Passary Tech Times
Kyrie Irving and Isaiah Thomas megatrade

Smartphone apps may not be that smart after all and may even be a potential soft target for hackers-in-waiting.

According to the latest Labs Threats Report released by McAfee Labs, mobile developers are overlooking an important area: mobile app vulnerabilities. The developers' failure to patch secure sockets layer (SSL) vulnerabilities could give hackers access to unlocked user data, putting millions of mobile phone users at risk of becoming cyber attack victims.

Sensitive user data such as passwords and usernames of subscribers to vulnerable apps may be compromised, according to McAfee.

The SSL weakness could allow unidentified third parties to intercept a mobile phone user's allegedly secure online communication. Hackers would be able to create fake digital certificates to take advantage of the situation, and apps that are compromised would also accept the fraud certificates without verifying their authenticity.

In 2014, Carnegie Mellon University's Computer Emergency Response Team (CERT) took out a list of mobile applications that had the SSL vulnerability. This list included popular apps that had several million user downloads to boast.

In January this year, McAfee tested 25 apps that were on the CERT list. According to the cybersecurity firm's "Labs Threats Report: February 2015," tests found that 18 popular apps were still lacking patches despite security holes being flagged in September 2014.

Based on the report, the vulnerable app that had been downloaded the most is a photo editor for smartphones. It had 100 million to 500 million downloads. The application also enables its users to share images on social media sites, as well as cloud services.

"McAfee Labs researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third-party services," revealed the security firm.

While no evidence exists that the mobile applications with SSL vulnerabilities have been taken advantage of, McAfee is of the opinion that by not patching the existing SSL vulnerabilities, users may potentially become victims of MITM attacks.

The cybersecurity firm also alerts users against potentially unwanted programs or PUPs, which basically alter the settings of a system and collate personal data without a user's knowledge. Mobile malware samples also saw growth by 14 percent in the fourth quarter of 2014, according to McAfee.

© 2017 Tech Times, All rights reserved. Do not reproduce without permission.

From Our Sponsor

Entropia Universe Allows Players To Earn Real Cash In The Virtual World

Everything in Entropia Universe has real cash value, and the real estate, land and deeds that players invest in are actual investments. The game uses a micropayment system that allows players to buy Project Entropia Dollars (PED), which is used as in-game currency. With a click of a mouse, PED can also be withdrawn from the game and transferred to your bank account using an e-money/e-wallet service like Neteller e-wallet.
Real Time Analytics