There are approximately 1,500 iOS apps that are exposed to a vulnerability that could let a hacker bypass HTTPS security and steal passwords, as well as other sensitive data, according to experts.
Do you own an iOS device, such as an iPhone or an iPad?
A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to ‘man-in-the-middle’ attacks. This means that attackers are in a position to intercept and modify encrypted traffic between the affected iOS applications and HTTPS servers. The hackers could have the means to decrypt and modify the data by presenting the app with a fake security certificate. This can be launched by intruders logging into insecure wireless networks by hacking into routers and through other methods.
The possible impact of the bug.
The vulnerability arises because thousands of apps rely on open-source networking code – AFNetworking to handle the connection to a server. Version 2.5.1, introduced in January, contains the bug, which means that the HTTPS security certificates aren’t checked. Although a fix was introduced over three weeks ago – version 2.5.2 as an update, many iOS apps are still using the same old code. These aren’t limited to small developers, but also prominent apps such as Movies by Flixster, Citrix openVoice Audio Conferencing, etc.
The number of exposed apps could exceed over 1,500 listed applications on the iOS store. An analytics company – SourceDNA said that the affected apps were not only using an outdated version of AFNetworking but also failing to use certificate pinning, which allows only a specific certificate for HTTPS. Pinning by default, is turned off in AFNetworking.
It also added that an estimated two million people have installed vulnerable apps.
SourceDNA also came up with a web-based search tool that can be used to learn if an app is vulnerable or has been already patched.
- There are over 100,000 iOS apps, out of the 1.4 million on the App Store that use the AFNetworking library.
- Of those, 20,000 have been updated or released during the time when the vulnerability was present.
In creating a signature for the vulnerable AFNetworking code, SourceDNA scanned those 20,000 apps to see how many were affected. The scan showed that:
- 55% of the apps were using the older and safe 2.5.0 version of the AFN.
- 40% were not using the library’s vulnerable SSL (Secure Sockets Layer) at all.
- 5% or about a 1000-1500 apps were vulnerable.
A thousand apps, in the iOS store that contains over a million of them may not seem like much, but when you take into consideration that they include prominent and popular apps from developers such as Yahoo, Microsoft, Uber, Citrix, among others, it is a concern.
“It amazes us that an open-source library that introduced a security flaw for only six weeks exposed millions of users to attack,” SourceDNA said.