• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • An Estimated 1500 iOS Apps Have a Bug Affecting HTTPS Connectivity, Puts Data at Risk


    An estimated 1500 iOS applications suffer from a security vulnerability having to do directly with HTTPS that could put your private data at risk, as first pointed out by security researchers Simone Bovi and Mauro Gentile on their personal blog.

    The affected applications use an open-source library known as AFNetworking to create their "secure" connections using HTTPS; although, they are using an outdated version of the library known to have the exploit. An updated version of the library was released to fix the problem, but developers reportedly haven't yet updated their applications to take advantage of the new AFNetworking library, which is the main issue causing this debacle.

    A full list of applications affected has not been released to protect the security of said applications long enough for developers to update their applications. But a small amount of affected applications have been noted by SourceDNA:

    An estimated two million people have installed the vulnerable apps, which include the Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale, according to analytics service SourceDNA.
    Piggybacking off of an out-dated version of the AFNetworking library, these developers leave users of these affected applications open to man-in-the-middle attacks on un-secured Wi-Fi networks because the bug doesn't force the application to check the certificate used to make sure it's a legitimate one. Instead, a hacker could spoof the certificate used by a device to obtain any information they desired, with enough skill of course.

    The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates.
    It appears that the only fix as of this time would be for developers to update their applications for the latest security by taking advantage of the latest version of the AFNetworking library, or for Apple to pull the applications from the App Store until further notice so that new unsuspecting users don't walk into a security trap.

    Sources: Minded Security via Ars Technica
    This article was originally published in forum thread: An Estimated 1500 iOS Apps Have a Bug Affecting HTTPS Connectivity, Puts Data at Risk started by Anthony Bouchard View original post
    Comments 4 Comments
    1. TDH Advocate's Avatar
      TDH Advocate -
      Why has apple or the companies not been alerted yet?
    1. SpiderManAPV's Avatar
      SpiderManAPV -
      Quote Originally Posted by TDH Advocate View Post
      Why has apple or the companies not been alerted yet?
      Where does it say they weren't alerted?
    1. Anthony Bouchard's Avatar
      Anthony Bouchard -
      Quote Originally Posted by TDH Advocate View Post
      Why has apple or the companies not been alerted yet?
      There is little Apple can do except for pull the 1500+ apps from the App Store.

      The problem is in the code used to make the applications, so this is 100% the fault of the developers for not updating to the latest framework available and continuing to use a legacy framework known to have issues.
    1. kyphur's Avatar
      kyphur -
      Apple could depreciate and then discontinue the affected framework thereby forcing the apps to update or die...