Popular iOS Apps – Including Some Medical & Banking Apps – Vulnerable to MITM Attacks
According to a security researcher, 76 popular iOS apps allow a silent man-in-the-middle attack, exposing user and device data to interception.
76 popular iOS apps are exposing user data to hackers – over 18 million downloads
Will Strafach was scanning the binary codes of applications in the iOS App Store for his service verify.ly – a web-based mobile app analysis service – when he detected that over 76 popular apps in the store are vulnerable to data interception.
“Automatically scanning the binary code of applications within the Apple App Store en-masse allowed us to get a vast amount of information about these security issues,” Strafach, a cyber security expert, wrote in a post today.
The post detailed how many of the vulnerable apps mishandle the way they transmit data. “The App Transport Security feature of iOS does not and cannot help block this vulnerability from working,” Strafach said. ATS was introduced in iOS 9 to help improve user security and privacy with HTTPS. While Apple had set January 1 2017 as a deadline for developers to adopt HTTPS, the date has now been pushed back.
These vulnerable apps are exposing user data to interception because of being misconfigured as they fail at handling encryption. The issue relies in misconfigured networking code which causes ATS to see even the non-secure connections as valid TLS connections. This means these apps will accept an encryption certificate, even if it’s invalid.
The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range. Such an attack can be conducted using either custom hardware, or a slightly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.
Strafach said he has confirmed that each vulnerable app was exposing data with an iPhone running iOS 10 and “a ‘malicious’ proxy to insert an invalid TLS certificate into the connection for testing.” He added that the vulnerable iOS apps have been downloaded for over 18 million times, according to figures from Apptopia.
Strafach has split the 76 vulnerable iOS apps into low, medium and high risk, adding that 19 high-risk apps leave financial or medical service login details open to interception. Talking about fixes, Strafach added Apple can’t help:
There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
Users are, however, advised to switch off Wi-Fi when they’re in a public location, as “the vulnerability is very likely to only be exploited if your connection is flowing over Wi-Fi.”