A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.
A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate …
The vulnerability arises because thousands of apps rely on open-source networking code AFNetworking to handle the connection to the server. Version 2.5.1, introduced in January, contains a bug that means HTTPS security certificates aren’t checked. Although a fix was introduced in version 2.5.2 three weeks ago, scanning iOS apps in the App Store found that around 1,500 of them are still using the old version.
An estimated two million people have installed the vulnerable apps, which include the Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale.
SourceDNA initially kept the names of vulnerable apps private, to give developers time to update, but has now provided a search tool to allow iPhone and iPad users to search by developer. If you find any apps you use are vulnerable, share them in the comments and avoid using them on public wifi hotspots.
Apple last month pushed security updates to both iOS and OS X to end a vulnerability to the FREAK exploit which also affected Windows and Android devices.
FTC: We use income earning auto affiliate links. More.
Mailbox uses AFNetworking v 2.5.0 or older. It’s not vulnerable though
No, it is specifically 2.5.1 which has the vulnerability
I’m just starting to search but so far I’ve found Flickr Uploader is vulnerable:
https://itunes.apple.com/app/id328407587
I can’t tell if Yahoo Weather is or not from the list.
This is why we don’t use useless 3rd party libraries… I will never understand the appeal of AFNetworking.
GasBuddy 2.6.2 and 2.7.0 are both vulnerable. Elevate 1.20 is also vulnerable.
Would this be an issue of you used VPN?
Wunderlist and Status
Panera Bread App
Not a surprise, bad developers will google “ignore invalid certificate” to connect to there development environments and that google will land them on stackoverflow and will copy and past the code to ignore the certificate without a thought. I see it all the time. Good developers with check their environment before enabling code like that so that it you have proper security when connecting to your secured environments.
Sadly a large chuck of app development done by large multi national corps just throw app development over the wall to the cheapest vender that has, well, bad developers typically.