Skip to main content

HTTPS bug leaves 1,500 iOS apps vulnerable to man-in-the-middle attacks, finds analytics company

The buggy code highlighted by arsTechnica

A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.

A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate … 

The vulnerability arises because thousands of apps rely on open-source networking code AFNetworking to handle the connection to the server. Version 2.5.1, introduced in January, contains a bug that means HTTPS security certificates aren’t checked. Although a fix was introduced in version 2.5.2 three weeks ago, scanning iOS apps in the App Store found that around 1,500 of them are still using the old version.

An estimated two million people have installed the vulnerable apps, which include the Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale.

SourceDNA initially kept the names of vulnerable apps private, to give developers time to update, but has now provided a search tool to allow iPhone and iPad users to search by developer. If you find any apps you use are vulnerable, share them in the comments and avoid using them on public wifi hotspots.

Apple last month pushed security updates to both iOS and OS X to end a vulnerability to the FREAK exploit which also affected Windows and Android devices.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. AKEEM (@VKEEW) - 9 years ago

    Mailbox uses AFNetworking v 2.5.0 or older. It’s not vulnerable though

  2. rwanderman - 9 years ago

    I’m just starting to search but so far I’ve found Flickr Uploader is vulnerable:

    https://itunes.apple.com/app/id328407587

    I can’t tell if Yahoo Weather is or not from the list.

  3. thegamingart - 9 years ago

    This is why we don’t use useless 3rd party libraries… I will never understand the appeal of AFNetworking.

  4. ericpruss - 9 years ago

    GasBuddy 2.6.2 and 2.7.0 are both vulnerable. Elevate 1.20 is also vulnerable.

  5. tomtubbs - 9 years ago

    Would this be an issue of you used VPN?

  6. Tony C (@atTACk76) - 9 years ago

    Wunderlist and Status

  7. Panera Bread App

  8. Not a surprise, bad developers will google “ignore invalid certificate” to connect to there development environments and that google will land them on stackoverflow and will copy and past the code to ignore the certificate without a thought. I see it all the time. Good developers with check their environment before enabling code like that so that it you have proper security when connecting to your secured environments.

    Sadly a large chuck of app development done by large multi national corps just throw app development over the wall to the cheapest vender that has, well, bad developers typically.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear