76 Popular iOS Apps Vulnerable To Man-In-The-Middle-Attacks

En-mass scanning of the binary code in applications on Apple’s App Store has revealed that 76 popular iOS apps are vulnerable to man-in-the-middle attacks that can be performed on connections which should be secured using Transport Later Security (TLS).

Apps such as the Tencent Cloud, Uploader for Snapchat, Huawei HiLink, and Vive News, were all found to be vulnerable to hack attacks that could steal or manipulate data if a mobile device is within Wi-Fi range of a malicious party.

The vulnerabilities were discovered by Will Strafach, a security specialist and the developer of the verify.ly mobile app analysis service.

Man-in-the-middle cyber threat

Strafach noted that the common fear of being backed when using public Wi-Fi is a common concern, such TLS vulnerabilities, caused by misconfiguration of networking-related code within iOS apps, pose their own problem.

“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” he explained.

“Such an attack can be conducted using either custom hardware, or a slightly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”

Strafach said the onus for fixing such security holes is on the app developers not Apple, as if the Cupertino company was to override the TLS process, it would make some iOS applications less secure than before.

“Due to this, Apple’s “App Transport Security” mechanism will see the connection as a valid TLS connection, as it must allow the application to judge the certificate validity if it chooses to do so,” Strafach said.

“There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI.”

Many consider Apple to produce the most secure mobile and desktop software, but bugs still plagues Apple as much as they do Microsoft, with threats recently even hopping over form Linux and Windows to threaten Mac OS X.

Are you a security pro? Try our quiz!