We have a large number of deployed iPhones that connect to our exchange server. Many of those phones are still iPhone 4 and Apple is no longer pushing out security updates to them. That means I have no way to patch the FREAK vulnerability on these devices.
My main concern is not with regular HTTPS sites as our users shouldn't be doing any of that on their phones anyway. My concern is the connection to our exchange server which does use HTTPS.
Is there any way to fix this server side? I'm assuming the answer is likely no since an attacker could force the user to use the weaker encryption without the server knowing about it. Is that a correct assumption on my part?
We already rolled out the group policy updates recommended by Microsoft last week and patched the server last night. But can an attacker still exploit this flaw and mount a man-in-the-middle attack on these IOS devices?