Over 20,000 iOS Apps Vulnerable Due to Old SSL Flaw
A firm that audits mobile apps in the Apple App Store and the Google Play Store made an interesting discovery last week: roughly 25,000 iOS applications are still using an old version of the AFNetworking library, which means they are vulnerable to well-known exploits in the SSL protocol that have since been fixed in an update of AFNetworking.
Programming is hard work, and occasionally when a core library is updated, it can take integral changes to change an application in order to comply with the new library. According to SourceDNA, a firm which runs various metrics including vulnerability and stability on the entirety of the iOS app store, updating the library was not enough to plug the holes, and now as many as 25,000 apps remain open to snooping, their SSL implementations being outdated and flawed.
The biggest implication for users of these apps is that someone on the same network easily view data being transmitted to and from the phone. If they’re out at a coffee shop or anywhere else and using the free Wi-Fi, that is, they could have sensitive data stolen. Many apps, after all, require credit card information in order to make purchases.
Not the First AFNetworking Bug
Version 2.5.1 of AFNetworking had an equally disturbing flaw, where self-signed SSL certificates were considered valid. That could have led to all kinds of problems. The version was updated after six weeks, a long period in the hacking world. Since then, SourceDNA has been watching AFNetworking closely, hence the discovery of the new flaw, which had created a situation where domain name validation was off by default. According to the firm:
Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using. […] This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet. Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.
Since this flaw is specifically in AFNetworking, it specifically only affects users of OSX and iOS apps built using it. It seems that the library is more often utilized by mobile developers than desktop developers. According to SourceDNA, 25,000 apps which use AFNetworking have yet to upgrade from 2.5.2, which fixed the previous vulnerability, to 2.5.3, which fixes the more current pressing flaw. The firm recommends that any developer who is using AFNetworking update immediately to the latest version, but their urging will only yield so many results.
There are, for instance, abandoned apps likely enough on that list of 25,000, apps that no longer see any development. There are apps that are lower priority to the developers, as well. Which makes it up to the App Store how long they’ll give developers to update the software before the apps are temporarily pulled from the repository. Hacked will monitor the situation and continue reporting on it.
Featured image from Shutterstock.