1,500 iOS Apps Prone to Man-in-the-Middle Attacks Due to HTTPS-Crippling Bug


Some 1,500 iOS apps are vulnerable to man-in-the-middle attacks enabling attackers to intercept encrypted passwords, bank account details and other such sensitive information. This vulnerability cripples the security of HTTPS meaning that any information sent from an iPhone or an iPad including the login data could be intercepted using the HTTPS protocol.

AFNetworking code error enables MITM attacks on iOS apps:

According to the latest revelation by an analytics company SourceDNA, some two million people are at risk who have installed the vulnerable apps. These apps include some major names like Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, and Citrix OpenVoice Audio Conferencing.

The vulberability comes from an older verson of the AFnetworking open-source code library that allows developer to drop networking capabilities into their apps or simply put, handle the connection to the server.

The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates. We tested the app [AFNetworking 2.5.1] on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention!

This bug cripples HTTPS and through MitM attacks decrypts HTTPS-encrypted data. Hacker intended to explout the bug can initiate a man-in-the-middle attack using a fake WiFi hotspot to intercept data. While this shouldn't work normally with secure connections because fradulent credential would be detected as a counterfiet dropping the coonection, it is possible in this case because of the bug in the code rendering the apps unable to check the security certificate.

The report reveals that although AFNetworking has fixed the flaw three weeks ago with the latest version 2.5.2, the bug still infects some 1,500 iOS apps on the earlier 2.5.1 version introduced in January.

To be on the safe side and confirm if you are using any of the 1,500 infected apps, use the search tool developed by SourceDNA.

Source: SourceDNA | More details: ArsTechnica