As many as 25,000 iOS apps are vulnerable to man-in-the-middle attacks capable of stealing user data through the use of freely available SSL certificates.
Researchers at SourceDNA found the bug in version 2.5.2 of AFNetworking, a library used by many iOS and Mac OSX developers for networking functions, while checking to see if a flaw in version 2.5.1 that accepted self-signed certificates had been fixed.
Whilst checking the code, the team found that the original flaw had been patched but discovered an issue with domain name validation that meant data could be intercepted if an attacker used a valid SSL certificate.
Up to 100,000 apps are believed to use AFNetworking and SourceDNA has urged developers to ensure they are using the latest version of the library to protect user data. It has released a tool called Sourcelight which shows which applications are still vulnerable.
“We notified our customers and contacted the developer. He released the updated version 2.5.3 earlier this week. If you are using AFNetworking (any version), you must upgrade to 2.5.3. Also, you should enable public key or certificate-based pinning as an extra defense. Neither of these game-over SSL bugs affected apps using pinning.
“This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores. Developers need to track the code in their apps to be sure patches aren’t lost along the way.”
UPDATE: 01/05/2013
The maintainers of AFNetworking have disputed SourceDNA’s findings, claiming there is no way to tell whether an app is vulnerable or not without actually attempting a man in the middle attack. They add that AFNetworking “strongly recommends” certificate or public key pinning that would prevent such a vulnerability.
“Adding pinned SSL certificates to your app helps prevent man-in-the-middle attacks and other vulnerabilities,” they said. “Applications dealing with sensitive customer data or financial information are strongly encouraged to route all communication over an HTTPS connection with SSL pinning configured and enabled.”
Version 2.5.3 guards against such vulnerabilities by enabling domain name validation even when not using SSL pinning.
What do you know about the iPhone 6, iPhone 6 Plus and Apple Watch? Try our quiz!
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…