As many as 25,000 iOS apps are vulnerable to man-in-the-middle attacks capable of stealing user data through the use of freely available SSL certificates.
Researchers at SourceDNA found the bug in version 2.5.2 of AFNetworking, a library used by many iOS and Mac OSX developers for networking functions, while checking to see if a flaw in version 2.5.1 that accepted self-signed certificates had been fixed.
Whilst checking the code, the team found that the original flaw had been patched but discovered an issue with domain name validation that meant data could be intercepted if an attacker used a valid SSL certificate.
Up to 100,000 apps are believed to use AFNetworking and SourceDNA has urged developers to ensure they are using the latest version of the library to protect user data. It has released a tool called Sourcelight which shows which applications are still vulnerable.
“We notified our customers and contacted the developer. He released the updated version 2.5.3 earlier this week. If you are using AFNetworking (any version), you must upgrade to 2.5.3. Also, you should enable public key or certificate-based pinning as an extra defense. Neither of these game-over SSL bugs affected apps using pinning.
“This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores. Developers need to track the code in their apps to be sure patches aren’t lost along the way.”
UPDATE: 01/05/2013
The maintainers of AFNetworking have disputed SourceDNA’s findings, claiming there is no way to tell whether an app is vulnerable or not without actually attempting a man in the middle attack. They add that AFNetworking “strongly recommends” certificate or public key pinning that would prevent such a vulnerability.
“Adding pinned SSL certificates to your app helps prevent man-in-the-middle attacks and other vulnerabilities,” they said. “Applications dealing with sensitive customer data or financial information are strongly encouraged to route all communication over an HTTPS connection with SSL pinning configured and enabled.”
Version 2.5.3 guards against such vulnerabilities by enabling domain name validation even when not using SSL pinning.
What do you know about the iPhone 6, iPhone 6 Plus and Apple Watch? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…