Mobile app makers slow to patch critical flaws

Attacks targeting mobile devices are becoming more common, and mobile app developers have been slow to patch critical vulnerabilities in their applications, according to McAfee Labs.

The Intel Security division’s latest threat report shows that of the 25 most popular apps included on a list of vulnerable apps released by the US-based Computer Emergency Response Team (CERT) in September, 18 are still at risk.

Mobile app developers have failed to patch critical SSL vulnerabilities, leaving millions of mobile users potentially vulnerable, the report states. The apps listed by CERT had not addressed the most basic SSL vulnerabilities involving improper digital certificate chain validation.

McAfee Labs researchers were able to simulate man-in-the-middle attacks using 18 of the top 25 apps. The apps have been downloaded hundreds of millions of times combined.

“Digital trust is an imperative for us to truly engage with and benefit from the functionality [mobile apps] can provide,” McAfee Labs SVP Vincent Weafer said.

“Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programming practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them.”

The report notes that there is no evidence that an attack has been carried out using the mobile apps.

Mobile malware samples grew 14% during the fourth quarter, with at least 8% of all McAfee-monitored mobile systems reporting an infection, the report adds. The number of ransomware samples grew 155% over the same period after a four-quarter decline.

Across platforms McAfee Lab is now detecting 387 new samples of malware every minute.

Image courtesy Intel