1,500 iOS apps are vulnerable to HTTPS snooping thanks to 3rd-party code flaw

Scorpus

Posts: 2,159   +239
Staff member

Around 1,500 iOS applications are vulnerable to simple man-in-the-middle attacks thanks to an HTTPS-related vulnerability in a third-party library common to them all. The flaw could allow someone to snoop on a user's personal information, including bank account details, with very little effort.

According to a report published by SourceDNA, the 1,500 iOS apps in question all use one specific version of an open-source networking library: AFNetworking 2.5.1. The flawed version of the library was released in January this year, and was patched with version 2.5.2 three weeks ago.

The flaw relates to the way the AFNetworking library, called upon by an app, performs SSL certificate validation. Essentially, SSL certificates are never validated in version 2.5.1 of the library due to an error, meaning that anyone who sends a fraudulent certificate to the app will have it automatically accepted.

This means that, for example, someone could set up a free Wi-Fi network within a cafe, and then steal an unsuspecting user's bank account information through fake SSL certificates and proxies when they use an affected banking application.

SourceDNA analyzed about one million iOS applications available through the App Store, and found around 1,500 apps that used AFNetworking 2.5.1, implemented HTTPS, and didn't use certificate pinning (a method that ensures only one certificate is ever used for encrypted connections). 

The applications have been collectively downloaded millions of times, and include apps such as Movies by Flixster, Alibaba.com, Amazon, OneDrive, and KYBankAgent. If you are wondering whether an app on your iOS device is affected, you can search for it in SourceDNA's handy database.

Permalink to story.

 
Back