The buggy code highlighted by arsTechnica

The buggy code highlighted by arsTechnica

A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.

A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate … 

The vulnerability arises because thousands of apps rely on open-source networking code AFNetworking to handle the connection to the server. Version 2.5.1, introduced in January, contains a bug that means HTTPS security certificates aren’t checked. Although a fix was introduced in version 2.5.2 three weeks ago, scanning iOS apps in the App Store found that around 1,500 of them are still using the old version.

An estimated two million people have installed the vulnerable apps, which include the Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale.

SourceDNA initially kept the names of vulnerable apps private, to give developers time to update, but has now provided a search tool to allow iPhone and iPad users to search by developer. If you find any apps you use are vulnerable, share them in the comments and avoid using them on public wifi hotspots.

Apple last month pushed security updates to both iOS and OS X to end a vulnerability to the FREAK exploit which also affected Windows and Android devices.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear