76 Popular iOS Apps Vulnerable To Man-In-The-Middle-Attacks

En-mass scanning of the binary code in applications on Apple’s App Store has revealed that 76 popular iOS apps are vulnerable to man-in-the-middle attacks that can be performed on connections which should be secured using Transport Later Security (TLS).

Apps such as the Tencent Cloud, Uploader for Snapchat, Huawei HiLink, and Vive News, were all found to be vulnerable to hack attacks that could steal or manipulate data if a mobile device is within Wi-Fi range of a malicious party.

The vulnerabilities were discovered by Will Strafach, a security specialist and the developer of the verify.ly mobile app analysis service.

Man-in-the-middle cyber threat

Strafach noted that the common fear of being backed when using public Wi-Fi is a common concern, such TLS vulnerabilities, caused by misconfiguration of networking-related code within iOS apps, pose their own problem.

“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” he explained.

“Such an attack can be conducted using either custom hardware, or a slightly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”

Strafach said the onus for fixing such security holes is on the app developers not Apple, as if the Cupertino company was to override the TLS process, it would make some iOS applications less secure than before.

“Due to this, Apple’s “App Transport Security” mechanism will see the connection as a valid TLS connection, as it must allow the application to judge the certificate validity if it chooses to do so,” Strafach said.

“There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI.”

Many consider Apple to produce the most secure mobile and desktop software, but bugs still plagues Apple as much as they do Microsoft, with threats recently even hopping over form Linux and Windows to threaten Mac OS X.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

2 days ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 days ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

2 days ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

3 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

3 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 days ago