At least 25,000 iOS apps available in Apple’s App Store contain a critical vulnerability that may completely cripple HTTPS protections designed to prevent man-in-the-middle attacks that steal or modify sensitive data, security researchers warned.
As was the case with a separate HTTPS vulnerability reported earlier this week that affected 1,500 iOS apps, the bug resides in AFNetworking, an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that’s trivial for hackers to monitor or modify, even when it’s protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).”The result is an attacker with any valid certificate can eavesdrop on or modify an SSL session initiated by an app with this flawed library,” Nate Lawson, the founder of security analytics startup SourceDNA, told Ars. “The flaw is that the domain name is not checked in the cert, even though the cert is checked to be sure it was issued by a valid CA. For example, I can pretend to be ‘microsoft.com’ just by presenting a valid cert for ‘sourcedna.com.'”
Lawson estimated that the number of affected iOS apps ranged from 25,000 to as high as 50,000. SourceDNA has provided a free search tool that end users and developers can query to see if their apps are vulnerable. To make it harder for attackers to exploit the vulnerability maliciously, SourceDNA isn’t providing a comprehensive list of vulnerable apps.
A quick check found that apps from Bank of America, Wells Fargo, and JPMorgan Chase were likely affected, although some of those reports may be false positives. It’s possible that some apps flagged by SourceDNA use custom code or secondary measures such as certificate pinning that prevents attacks from working. Apps from Microsoft, meanwhile, remained vulnerable to the HTTPS-crippling bug reported earlier.