Researchers have identified a serious vulnerability in at least 1,500 iOS apps. This security flaw has made the apps exploitable by hackers who look for victims to swipe passwords and obtain financial data.
Last month IT security firm SourceDNA discovered a bug that has been fixed in an open-source code update. This bug contained a serious vulnerability and still some app developers have ignored updating their apps to the new version.
The bug was identified in an AFNetworking version released in January as “an open-source code library that allows developers to drop networking capabilities into their apps.”
Reportedly, the vulnerability served as a facilitator of man-in-the-middle attack, which helps hackers gain access to HTTPS encrypted data. HTTPS is an internet security protocol used widely.
Ars Technica described the details of how hackers would attack the apps running 2.5.1 version of AFNetworking as:
“To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.”
SourceDNA scanned and analyzed the entire app database of 1.4million titles in the App Store after identifying the flawed code to see which of the apps are still vulnerable. Few relative apps contained the compromised source code. However, the problem is that popular apps like Movies by Flixster and Rotten Tomatoes were still found to be vulnerable.
Search SourceDNA’s iOS Security Report and see if your app is among the list of vulnerable apps.
Via: Ars Technica