McAfee: Mobile Developers' Failure To Patch Mobile App Vulnerabilities Puts Millions of Users At Risk
Smartphone apps may not be that smart after all and may even be a potential soft target for hackers-in-waiting.
According to the latest Labs Threats Report released by McAfee Labs, mobile developers are overlooking an important area: mobile app vulnerabilities. The developers' failure to patch secure sockets layer (SSL) vulnerabilities could give hackers access to unlocked user data, putting millions of mobile phone users at risk of becoming cyber attack victims.
Sensitive user data such as passwords and usernames of subscribers to vulnerable apps may be compromised, according to McAfee.
The SSL weakness could allow unidentified third parties to intercept a mobile phone user's allegedly secure online communication. Hackers would be able to create fake digital certificates to take advantage of the situation, and apps that are compromised would also accept the fraud certificates without verifying their authenticity.
In 2014, Carnegie Mellon University's Computer Emergency Response Team (CERT) took out a list of mobile applications that had the SSL vulnerability. This list included popular apps that had several million user downloads to boast.
In January this year, McAfee tested 25 apps that were on the CERT list. According to the cybersecurity firm's "Labs Threats Report: February 2015," tests found that 18 popular apps were still lacking patches despite security holes being flagged in September 2014.
Based on the report, the vulnerable app that had been downloaded the most is a photo editor for smartphones. It had 100 million to 500 million downloads. The application also enables its users to share images on social media sites, as well as cloud services.
"McAfee Labs researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third-party services," revealed the security firm.
While no evidence exists that the mobile applications with SSL vulnerabilities have been taken advantage of, McAfee is of the opinion that by not patching the existing SSL vulnerabilities, users may potentially become victims of MITM attacks.
The cybersecurity firm also alerts users against potentially unwanted programs or PUPs, which basically alter the settings of a system and collate personal data without a user's knowledge. Mobile malware samples also saw growth by 14 percent in the fourth quarter of 2014, according to McAfee.