At least 76 popular iOS apps have been found to be vulnerable to data inception, according to a report from a security expert.
The discovery was made by app binary code scanning service verify.ly and published in a Medium post by Sudo Security Group CEO Will Strafach, who revealed that the apps failed to make use of the Transport Layer Security protocol.
The TLS protocol secures communication between client and server. Without the protection, the apps are susceptible to data interception by an attacker with access to custom hardware such as modified smartphone, which can be used to initiate TLS certificate injection attacks. The interception is possible regardless of whether the developers chose to use Apple networking security feature, App Transport Security.
The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.
There is no possible fix to be made on Apple's side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
Apps in the vulnerable list included a number of popular downloads like third-party Snapchat apps, the official app for Vice News, and banking apps for banks based in Puerto Rico and Libya.
Strafach sorted the 76 apps into low, medium, and high risk categories, and says he is reaching out to developers to fix the problems before disclosing the most high-risk apps in the list. According to Strafach, more than 18,000,000 downloads of the vulnerable app versions have been downloaded from the App Store.
Until the issues are dealt with, Strafach advises users of the apps to avoid accessing them over Wi-Fi, as it's harder to exploit the vulnerabilities over a cellular network.
Top Rated Comments
Not really, or at least this is a misleading statement. Obscure networking attacks are hardly particular to Apple devices. That's what bug bounties and security updates are for in all OS's. But if you prefer the wild west of the uncurated Google play store, go right ahead. But I agree with using a VPN service. Anyone who's fool enough to conduct financial transactions on an open WiFi network...
Cellular is better, at least compared to open WiFi, but get a respected VPN service if you take security seriously.
On another note, I'm going to start using LTE more instead of wifi.
This problem exists in an order of magnitude greater numbers ('https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html') in Google Play. Your position seems to be that Apple has no right to market its more secure App Store as more secure unless is can guarantee zero exploits. Sure, bad stuff can get through, but if your main concern is the safety of offerings, you'll pick the App Store over Google Play every time. Inversely, Google isn't absolved of dealing with appsec just because they don't advertise it as an asset.
In the western world banks (or other companies using sensitive data) would immediately be penalized for not securing their users data (and would likely lose a whole lot of customers).