SSL Flaw Leaves 25,000 iOS Apps Open To Attack

As many as 25,000 iOS apps are vulnerable to man-in-the-middle attacks capable of stealing user data through the use of freely available SSL certificates.

Researchers at SourceDNA found the bug in version 2.5.2 of AFNetworking, a library used by many iOS and Mac OSX developers for networking functions, while checking to see if a flaw in version 2.5.1 that accepted self-signed certificates had been fixed.

Whilst checking the code, the team found that the original flaw had been patched but discovered an issue with domain name validation that meant data could be intercepted if an attacker used a valid SSL certificate.

Apple attacks

“This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet,” said the researchers. “Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.”

Up to 100,000 apps are believed to use AFNetworking and SourceDNA has urged developers to ensure they are using the latest version of the library to protect user data. It has released a tool called Sourcelight which shows which applications are still vulnerable.

“We notified our customers and contacted the developer. He released the updated version 2.5.3 earlier this week. If you are using AFNetworking (any version), you must upgrade to 2.5.3. Also, you should enable public key or certificate-based pinning as an extra defense. Neither of these game-over SSL bugs affected apps using pinning.

“This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores. Developers need to track the code in their apps to be sure patches aren’t lost along the way.”

UPDATE: 01/05/2013

The maintainers of AFNetworking have disputed SourceDNA’s findings, claiming there is no way to tell whether an app is vulnerable or not without actually attempting a man in the middle attack. They add that AFNetworking “strongly recommends” certificate or public key pinning that would prevent such a vulnerability.

“Adding pinned SSL certificates to your app helps prevent man-in-the-middle attacks and other vulnerabilities,” they said. “Applications dealing with sensitive customer data or financial information are strongly encouraged to route all communication over an HTTPS connection with SSL pinning configured and enabled.”

Version 2.5.3 guards against such vulnerabilities by enabling domain name validation even when not using SSL pinning.

What do you know about the iPhone 6, iPhone 6 Plus and Apple Watch? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

12 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

14 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

16 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

17 hours ago