SSL Flaw Leaves 25,000 iOS Apps Open To Attack

As many as 25,000 iOS apps are vulnerable to man-in-the-middle attacks capable of stealing user data through the use of freely available SSL certificates.

Researchers at SourceDNA found the bug in version 2.5.2 of AFNetworking, a library used by many iOS and Mac OSX developers for networking functions, while checking to see if a flaw in version 2.5.1 that accepted self-signed certificates had been fixed.

Whilst checking the code, the team found that the original flaw had been patched but discovered an issue with domain name validation that meant data could be intercepted if an attacker used a valid SSL certificate.

Apple attacks

“This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet,” said the researchers. “Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.”

Up to 100,000 apps are believed to use AFNetworking and SourceDNA has urged developers to ensure they are using the latest version of the library to protect user data. It has released a tool called Sourcelight which shows which applications are still vulnerable.

“We notified our customers and contacted the developer. He released the updated version 2.5.3 earlier this week. If you are using AFNetworking (any version), you must upgrade to 2.5.3. Also, you should enable public key or certificate-based pinning as an extra defense. Neither of these game-over SSL bugs affected apps using pinning.

“This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores. Developers need to track the code in their apps to be sure patches aren’t lost along the way.”

UPDATE: 01/05/2013

The maintainers of AFNetworking have disputed SourceDNA’s findings, claiming there is no way to tell whether an app is vulnerable or not without actually attempting a man in the middle attack. They add that AFNetworking “strongly recommends” certificate or public key pinning that would prevent such a vulnerability.

“Adding pinned SSL certificates to your app helps prevent man-in-the-middle attacks and other vulnerabilities,” they said. “Applications dealing with sensitive customer data or financial information are strongly encouraged to route all communication over an HTTPS connection with SSL pinning configured and enabled.”

Version 2.5.3 guards against such vulnerabilities by enabling domain name validation even when not using SSL pinning.

What do you know about the iPhone 6, iPhone 6 Plus and Apple Watch? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago