After scanning through the binary codes of applications in the iOS App Store, Will Strafach’s verify.ly service has detected that 76 popular apps in the store are currently vulnerable to data interception. The interception is possible regardless if App Store developers are using App Transport Security or not. A few months ago, similar vulnerabilities were discovered with Experian and myFICO Mobile’s iOS apps.
Strafach’s verify.ly service is dedicated to scanning apps in the iOS App Store searching for vulnerabilities to help developers understand how to harden and secure their code. The scans look for patterns in vulnerabilities and in more terrifying examples they’ll find them repeated throughout multiple applications. Today’s announcement is not only scary because the applications are so commonly used, but also because more than 18,000,000 downloads of the vulnerable app builds have been downloaded.
In the report, Strafach has sorted the 76 apps into low, medium, and high risk categories. “The App Transport Security feature of iOS does not and cannot help block this vulnerability from working”, states Strafach. ATS, introduced in iOS 9 was set to help improve user security and privacy by pushing apps to use HTTPS. Apple originally set a date of January 1st, 2017 for all apps to have the feature configured but has since pushed it back to an undetermined date. The issue relies in misconfigured networking code that causes Apple’s App Transport Security to see the connections as valid TLS connections, even if they’re not.
There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
Some of the apps with low risk distinctions include: ooVoo, ViaVideo, Snap Upload for Snapchat, Uploader Free for Snapchat, and Cheetah Browser. Unsurprisingly a handful of the apps are Snapchat-centric applications, something Strafach discussed as being insecure last March.
As far as the medium and high risk applications go, Strafach is holding off on sharing that list until he’s properly communicated the issues with the appropriate developers and companies of the applications.
In the meantime, users can do a few things to help protect against these issues. A properly configured VPN could help mitigate against this issue, something we mentioned that Apple should implement on iOS natively. If user’s decide against using a VPN on their devices, Strafach recommends users turning off their Wi-Fi instead.
…if you are in a public location and need to perform a sensitive action on your mobile device (such as opening your bank app and checking your account balance), you can work around the issue by opening “Settings” and turning the “Wi-Fi” switch off prior to the sensitive action. While on a cellular connection the vulnerability does still exist, cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the United States). Therefore, it is much less plausible for an attacker to risk attempting to intercept a cellular data connection.
Head over to Strafach’s post for the full and more technical breakdown.