The web security exploit known as FREAK that I discussed last week was patched by Apple days after it was discovered two weeks ago. FREAK relied on a configuration issue in web servers combined with a flaw for backwards compatibility in many software libraries used to create a secure connection. But the patch only affected Apple’s operating systems—not all apps.
This highlights how apps can remain vulnerable due to developers’ choices. And Apple’s FREAK update only fixed the problem in iOS 8.2, OS X 10.8, 10.9, and 10.10. While I addressed part of that last week, there’s more to say.
When apps attack—or are attacked
Researchers at FireEye noted in a blog post on Wednesday that while operating systems have been updated, their tests indicate that many Android and a handful of iOS apps rely on internal security code libraries, rather than using the security components in an OS.
FireEye tested nearly 11,000 popular Android apps in the official Google Play Store, and over 14,000 iOS apps. Of those tested, they discovered 1,228 Android apps and 771 iOS apps connect to secure servers that haven’t yet (or may never) be updated to fix the server-side part of the FREAK exploit.
Android has it worse, as nearly half of the affected apps found build in encryption software rather than rely on Android, and are susceptible to FREAK. In iOS, only seven apps bypass Apple’s security framework and remain vulnerable in iOS 8.2. All 771 apps remain vulnerable in all previous releases of iOS in which they still work.
While not all of those apps, Android or iOS, involve sensitive data, any program that uses a login or transfers private information—such as personal photos—can be a key to identity theft, harassment and extortion, and access to other services for which someone uses the same account name or email address and password.
If you like it, put a pin on it
Despite Apple’s close scrutiny of app submissions, third-party software is allowed wide latitude in how it communicates with servers so long as Apple’s rules about information privacy are upheld. (And even then, it’s only when a breach happens or someone reports a problem that non-obvious issue are discovered.)
For instance, there’s been growing concern for years about the ability of governments, criminals, and others to subvert the certificate system that underlies secure web, email, and other connections. Certificates are issued by hundreds of parties around the world, and operating systems and browsers use a cryptographic double-check to make sure that a secure website is what it is says it is. This validation prevents man-in-the-middle attacks.
FREAK allowed one form of attack by forcing a downgrade to an older form of encryption that could be cracked, and didn't rely on subverting certificates. However, Certificate authorities (CAs) that sign off on digital proofs have been hacked a few times in the last several years, and each time new safeguards have been put in place. But they’re not all there yet.
One technique is known as pinning, in which a domain (such as macworld.com) or an app can specify precisely which CAs are allowed to issue certificates that are valid. A certificate issued by any other authority is rejected and the user warned. Google has experimented with pinning for years, and was able to detect a falsified certificate in Iran as a result of including a warning in Chrome in 2011 when a non-approved certificate was presented for a Google domain. The affected user notified Google, which led to discovering a security breach at a CA.
App developers can also pin, and it’s a recommended practice by security experts. Marco Arment, the creator of Instapaper and the developer behind the Overcast app, uses pinning with Overcast, as do many other, but not all, developers. It’s not required.
Arment noted a few weeks ago that he has 200,000 registered users; other apps have millions or tens of millions, such as Instagram. These are juicy bits of information to a hacker or a government agent, because intercepting logins would allow them to check those same account credentials at other services or gain access to a stream of personal data that could be mined or misused.
The downside is that failure to update and manage one’s certificates carefully could cause an app’s connections to fail and require a quick app update! But the benefits are high.
Users can’t determine these sorts of security improvements, but they can request them. Apple can also shift some of its effort from enforcing absurd interpretations of rules to examining security issues like these in its app-review process, and give developers guidance.
The old gray OS ain’t what it used to be
Apple folks have long liked to poke Android users about the lack of upgradability of many handsets and other devices—some sold with an implicit promise that the device would support new major releases. And many manufacturers still ship Android devices with earlier, non-supported releases, some of them years old.
Now Apple needs to face some of the same finger pointing. While Apple stops selling new hardware that can’t run the latest iOS release whenever they put out a major update—moving from 7 to 8, say—with the FREAK update, they’ve cut adrift those customers who have outdated hardware or have chosen to not upgrade.
Apple stopped selling the last hardware that couldn’t be upgraded to iOS 8 a year before that version was released (the iPhone 4). But there are at least 100 million perfectly satisfactory iOS devices, if not more, that cannot (or will not) run releases later than iOS 7. Apple’s own data show that 20 percent of iOS devices are running iOS 7, and 3 percent still use earlier versions; it’s shipped over a billion devices. (Assume some decent percentage are dead.)
While Apple went back to 10.8 for OS X (released in 2012), 18 percent of active users were using 10.7 (2011) and 10.6 (2009). Despite the difficulty of updates, surely at least a 10.7 patch would have been worthwhile?
FREAK is a peculiar case, in that it can fixed on either or both ends: updated web servers solve the problem, and that’s happened in large numbers and very rapidly. An updated web browser or OS security component isn’t required if all the servers are fixed, as I noted last week.
But it remains a bad trend. Updating features on old OS versions makes little sense, and it’s a mire in which Microsoft used to get itself stuck—and sometimes Apple as well. Security isn’t a feature, though—it’s a necessity. While its OS X support takes us back to computers released years ago, the iOS cutoff is far too short.