Science

Mobile apps fail to patch 'basic' security flaw, McAfee Labs says

Smart devices carried in millions of pockets are potentially giving would-be hackers unlocked access to user data, McAfee Labs warns in its latest threat report, citing a failure by mobile app developers to patch "basic" vulnerabilities.

18 top mobile apps downloaded by millions remain unpatched, months after vulnerability reported

Tefficient report looks at data usage and cost per gigabyte for mobile users (Fabrizio Bensch/Reuters)

Smart devices carried in millions of pockets are potentially giving would-be hackers unlocked access to user data, McAfee Labs warns in its latest threat report, citing a failure by mobile app developers to patch vulnerabilities.

This month's Threats Report released by the leading cybersecurity firm criticized the makers of 18 popular apps for being too slow to plug security holes that were already flagged in September 2014.

Last year, Carnegie Mellon University's computer emergency response team found that more than 20,000 mobile apps — for everything from games to sports to weather information — had an easily exploitable weakness known as a secure socket layer (SSL) vulnerability.

McAfee Labs, the research arm of Intel Security, followed up in January, testing the top 25 most popular apps outed by the university for having "the most basic" SSL problem — improper validation of website certificates. The vulnerability could lead to theft of user passwords and usernames.

"A lot of the discussion right now is about the value of data on your device, in this case your cellphone," said Gary Davis, Chief Consumer Security Evangelist with Intel Security, noting that such data can be used in insurance fraud and identity theft schemes.

'Poor programming' went unfixed

"Addresses, dates of birth, these are all data elements you'd need to in essence steal somebody's identity, or perhaps conduct insurance fraud, and it's all being made available through different applications."

Gary Davis, Chief Consumer Security Evangelist with Intel Security, says mobile malware kits are now being sold online to would-be cyberattackers. (McAfee Labs)

The McAfee team still found "poor programming practices" that exposed users to cyberattacks. One such application, a mobile photo editor, has been downloaded as many as 500 million times.

(McAfee decided against naming the apps in its report, reasoning that it wanted to focus instead on highlighting the fact that such vulnerabilities exist.)

"To our surprise, even though CERT notified the developers months ago, 18 of the 25 most downloaded vulnerable apps that send credentials via insecure connections are still vulnerable," the McAfee report says, adding that typically private online sessions would be compromised without a user's knowledge.

The SSL weakness means that mobile phone users could have their supposedly secure online communications intercepted by unknown third parties.

[Hackers] want to have the ability to reach inside a device and collect this information.— Gary Davis, vice-president, Global Consumer Marketing, Intel Security

This would be possible owing to problems allowing potential cyberattackers to generate their own digital certificates, which would normally be granted by authenticated website certificate issuers, the McAfee report says.

Compromised apps would accept those illegitimate certificates without proper verification.

To test this vulnerability, McAfee researchers simulated "man in the middle" attacks, in which a communication is set up, but a third party redirects the traffic to a different server, Davis said.

"There’s tons of rich data when you’re using passwords to authenticate [to visit] a game site," he said. "Users tend to use the same usernames across the board, so you could get credit card information. Hackers know this….[and] they want to have the ability to reach inside a device and collect this information."

Passwords, usernames up for grabs

The McAfee report says researchers "were able to intercept the app’s username and password credentials entered to log into the cloud service to share and publish photos."

Facebook credentials were also captured in the case of one mobile instant messaging app.

Security researchers revealed this month that some computers sold by Lenovo had a major security hole that could let any garden-variety hacker impersonate shopping, banking and other websites and steal users' credit card numbers and other personal data. (Andy Wong/Associated Press)

In the last quarter of 2014, McAfee Labs detected more than six million samples of mobile malware.

Davis said that as more would-be cybercriminals realize the value of encrypted data on mobile devices, mobile malware kits will circulate on the so-called Dark Web that allows hackers to surf anonymously.

Unless app writers take better notice about patching for well-documented vulnerabilities such as the Heartbleed or BERserk bugs, he said, criminals will thrive.

"Authors are starting kits, and making it available for sale so criminals can do their stuff targeting mobile sites in particular," he said.

"It’s super important when we get the highly visible vulnerabilities down because the longer they’re out there, the more they’ll get exploited and the more damage that can be done to consumers and their lives."