76 Popular iOS Apps Vulnerable To Man-In-The-Middle-Attacks

En-mass scanning of the binary code in applications on Apple’s App Store has revealed that 76 popular iOS apps are vulnerable to man-in-the-middle attacks that can be performed on connections which should be secured using Transport Later Security (TLS).

Apps such as the Tencent Cloud, Uploader for Snapchat, Huawei HiLink, and Vive News, were all found to be vulnerable to hack attacks that could steal or manipulate data if a mobile device is within Wi-Fi range of a malicious party.

The vulnerabilities were discovered by Will Strafach, a security specialist and the developer of the verify.ly mobile app analysis service.

Man-in-the-middle cyber threat

Wi-Fi invaders hackersStrafach noted that the common fear of being backed when using public Wi-Fi is a common concern, such TLS vulnerabilities, caused by misconfiguration of networking-related code within iOS apps, pose their own problem.

“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” he explained.

“Such an attack can be conducted using either custom hardware, or a slightly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”

Strafach said the onus for fixing such security holes is on the app developers not Apple, as if the Cupertino company was to override the TLS process, it would make some iOS applications less secure than before.

“Due to this, Apple’s “App Transport Security” mechanism will see the connection as a valid TLS connection, as it must allow the application to judge the certificate validity if it chooses to do so,” Strafach said.

“There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI.”

Many consider Apple to produce the most secure mobile and desktop software, but bugs still plagues Apple as much as they do Microsoft, with threats recently even hopping over form Linux and Windows to threaten Mac OS X.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

TSMC Denies Talks With Intel Over Chipmaking Joint Venture

Denial from TSMC, after multiple reports it was in talks with Intel over a joint…

1 day ago

Apple iPhone Shipments In China Slide, As Cook Talks With Trump Official

CEO Tim Cook talks to Trump official, as IDC notes China's smartphone market growth, and…

1 day ago

AMD Warns Of $800m Charge From US Chip Restrictions On China

Another big name chip maker expects a hefty financial charge, after the US tightened rules…

1 day ago

Google Digital Ad Network Ruled Illegal Monopoly By Judge

More bad news for Google. Second time in less than a year that some part…

2 days ago

US State Dept Closes Office Flagging Russia, China Disinformation

Federal office that tackled misinformation and disinformation from hostile nations is closed down, after criticism…

2 days ago

Nvidia CEO Jensen Huang Makes Surprise Visit To China

After Nvidia admits it will take $5.5 billion charge as Trump export limits of slower…

2 days ago