Over 1,500 iOS Apps Are Vulnerable to Man-in-the-Middle Attacks

The general impression about iOS has mostly been that it is securer than any other OS. When it comes to apps, it’s understandable that they can only be as well guarded as the developers building them intend to make them. It appears that more than 1,500 iPad and iPhone apps contain an HTTPS-crippling security flaw that compromises user’s bank account numbers, passwords and other sensitive information.

This security flaw originates from an older version of the open source code library ‘AFNetworking’ which allows developers the luxury of integration of networking capabilities within the apps they build. While AFNetworking developers attempted to fix the bug with the release of an update (2.5.2), a plethora of apps still remain affected as they are yet to be updated from the older version 2.5.1.

Apps that are susceptible to this security flaw are reported to have been installed by more than a million people

Regarding how mobile apps are used to compromise data, it’s the basic man-in-the-middle attack at play here. Ars Technica described this with a reference to some random attacker present in a coffee shop. The attacker using the shop’s WiFi network only needs to monitor the connection of a susceptible device and offer it an apparently secure sockets layer certificate. Since the app is never updated, the usual credential check is unable to detect the fraudulent certificate and the connection progresses as usual.

Apps that are susceptible to this security flaw are reported to have been installed by more than a million people all over the world. They include apps such as: Alibaba.com mobile app, Movies by Flixter with Rotten Tomatoes and Citrix OpenVoice Audio Conferencing.

On the bright side, SourceDNA scanned the App Store for susceptible apps and released a search tool to enable the public to check if their favourite apps have also been compromised.

If you wish to know if your favourite apps have also been targeted, view the iOS Security Report by SourceDNA here.



  • >