1,500 iOS apps sport flaw that allows interception of sensitive user data
A bug in an older version of AFNetworking, an open source library widely used for adding networking capabilities to iOS and OS X apps, can allow attackers to intercept and decrypt HTTPS traffic between apps and servers, effectively revealing all the sensitive information exchanged, such as passwords, bank account information, and so on.
It was reported to the developers in February, and they finally issued a fix on March 26 by releasing version 2.5.2 of the library. More information about how the problem came to be can be found in this blog post by researchers Simone Bovi and Mauro Gentile.
The issue gained higher visibility this week after SourceDNA released the results of their scanning of a million apps available for download in Apple’s App Store (the free ones and the 5,000 most popular paid ones): some 1,500 of them use the vulnerable library version.
Among these are some very popular ones such as the Alibaba.com mobile app and the Citrix OpenVoice Audio Conferencing app. All in all, these apps have been downloaded and installed by some two million people, as reported by Ars Technica.
The list of vulnerable apps was initially longer, but SourceDNA quietly began warning app developers of the problem weeks ago, which resulted in many of them updating the library to the newer version.
The company has also released a search tool for developers and users to check which apps are still vulnerable.
“As apps continue to be patched and released, we’ll keep you informed as to how quickly developers are addressing this major flaw. We’ve already seen some good uptake of the fixed 2.5.2 version in the latest versions of vulnerable apps (kudos to Yahoo for quickest patch!) but some are still in the App Store review queue,” they noted, and promised an update on the situation.