The buggy code highlighted by arsTechnica
Comments (9)

A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.

A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate … 

NordVPN

The vulnerability arises because thousands of apps rely on open-source networking code AFNetworking to handle the connection to the server. Version 2.5.1, introduced in January, contains a bug that means HTTPS security certificates aren’t checked. Although a fix was introduced in version 2.5.2 three weeks ago, scanning iOS apps in the App Store found that around 1,500 of them are still using the old version.

An estimated two million people have installed the vulnerable apps, which include the Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale.

SourceDNA initially kept the names of vulnerable apps private, to give developers time to update, but has now provided a search tool to allow iPhone and iPad users to search by developer. If you find any apps you use are vulnerable, share them in the comments and avoid using them on public wifi hotspots.

Apple last month pushed security updates to both iOS and OS X to end a vulnerability to the FREAK exploit which also affected Windows and Android devices.

About the Author

Ben Lovejoy's favorite gear