A report released by Intel Security said that 18 out of 25 mobile apps reported vulnerable in September last year still remain unpatched.
Researchers for the company’s McAfee Labs found that mobile app providers have been slow to address the most basic SSL vulnerabilities: improper digital certificate chain validations.
In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University released a list of mobile apps with this vulnerability, including titles which have been downloaded millions of times.
In January, McAfee Labs followed up and tested the 25 most popular apps on the list, which send login credentials through insecure connections. It found that 18 still have not been patched despite public disclosure, vendor notification and, in some cases, multiple version updates addressing other concerns.
Although there is no evidence that these mobile apps have been exploited by miscreants, it till puts millions of users at risk.
According to Vincent Weafer, SVP of McAfee Labs, part of Intel Security: “Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programing practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them.”
The report also notes that mobile malware samples grew 14 per cent during the fourth quarter of 2014, with Asia and Africa registering the highest infection rates
In Q4, McAfee Labs detected potentially unwanted programs (PUPs) on 91 million systems each day and sees PUPs becoming more and more aggressive, posing as legitimate apps while performing unauthorised actions such as displaying unwanted ads, modifying browser settings, or collecting user and system data.