SSL flaw renders millions of iOS app users vulnerable to data theft

23 Apr 2015

1

A weakness in their mobile security has affected around 1,000 iOS apps rendering encrypted data like passwords, bank account numbers and home addresses, easily accessible to hackers as it was being sent over the airwaves, a report from security firm SourceDNA said.

Companies including Microsoft, Uber and Yahoo had all released apps affected by the flaw but while they had fixed them, many others still were yet to update their apps to a new secure version.

The affected apps all shared the same code, freely available to developers to help the  incorporate encryption into their programmes.

AFNetworking, as the code library was called, had a flaw in its implementation of SSL, the web security technology that enabled the exchange of sensitive data over the net. The library introduced in January, was fixed in late March, but 1,000 or so apps still ran the vulnerable version.

After scanning all the free apps as also the top 5,000 paid ones, available on the iOS App Store, the firm found 100,000 that used AFNetworking; of which, 20,000 had been released since the vulnerability was introduced into the library.

''Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code,'' the company writes. ''The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw.

SourceDNA said, a missing SSL validation for the AFNetworking software development kit was present in the GitHub repository from 24 January to 25 March.

During that period there was a version jump to 2.5.1 in which the vulnerability was present, but it was patched in 2.5.2.

The company used differential fingerprinting to track down the vulnerable apps. It explained in a blog post, "We currently track AFNetworking, along with about 1,500 other commercial and open source SDKs," the firm said.

"This includes code written in Java, Objective-C, Swift, C/C++, C#, Lua and JavaScript for libraries that provide analytics, game engines, ads, payments and every other service.

"This data helps platform vendors track their market share versus competitors and plan their product roadmap.

"The day the flaw was announced and patched, a quick search in SourceDNA showed that about 20,000 iOS apps (out of the 100,000 apps that use AFNetworking) contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed."

Business History Videos

History of hovercraft Part 3...

Today I shall talk a bit more about the military plans for ...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of hovercraft Part 2...

In this episode of our history of hovercraft, we shall exam...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Hovercraft Part 1...

If you’ve been a James Bond movie fan, you may recall seein...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Trams in India | ...

The video I am presenting to you is based on a script writt...

By Aniket Gupta | Presenter: Sheetal Gaikwad

view more