Results 1 to 5 of 5

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: An Estimated 1500 iOS Apps Have a Bug Affecting HTTPS Connectivity, Puts Data at Risk

  1. #1
    Default An Estimated 1500 iOS Apps Have a Bug Affecting HTTPS Connectivity, Puts Data at Risk


    An estimated 1500 iOS applications suffer from a security vulnerability having to do directly with HTTPS that could put your private data at risk, as first pointed out by security researchers Simone Bovi and Mauro Gentile on their personal blog.

    The affected applications use an open-source library known as AFNetworking to create their "secure" connections using HTTPS; although, they are using an outdated version of the library known to have the exploit. An updated version of the library was released to fix the problem, but developers reportedly haven't yet updated their applications to take advantage of the new AFNetworking library, which is the main issue causing this debacle.

    A full list of applications affected has not been released to protect the security of said applications long enough for developers to update their applications. But a small amount of affected applications have been noted by SourceDNA:

    An estimated two million people have installed the vulnerable apps, which include the Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale, according to analytics service SourceDNA.
    Piggybacking off of an out-dated version of the AFNetworking library, these developers leave users of these affected applications open to man-in-the-middle attacks on un-secured Wi-Fi networks because the bug doesn't force the application to check the certificate used to make sure it's a legitimate one. Instead, a hacker could spoof the certificate used by a device to obtain any information they desired, with enough skill of course.

    The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates.
    It appears that the only fix as of this time would be for developers to update their applications for the latest security by taking advantage of the latest version of the AFNetworking library, or for Apple to pull the applications from the App Store until further notice so that new unsuspecting users don't walk into a security trap.

    Sources: Minded Security via Ars Technica
    Last edited by Anthony Bouchard; 2015-04-21 at 05:12 PM.

  2. #2
    iPhone? More like MyPhone
    Join Date
    Jun 2014
    Location
    US
    Posts
    221
    Thanks
    282
    Thanked 59 Times in 42 Posts

    Why has apple or the companies not been alerted yet?

  3. The Following User Says Thank You to TDH Advocate For This Useful Post:

    hopethemodworx (2015-04-22)

  4. #3
    Livin' the SPIDEY Life SpiderManAPV's Avatar
    Join Date
    Jun 2013
    Location
    Georgia USA
    Posts
    2,197
    Thanks
    1,697
    Thanked 826 Times in 526 Posts

    Quote Originally Posted by TDH Advocate View Post
    Why has apple or the companies not been alerted yet?
    Where does it say they weren't alerted?

    ......beware......
    Just your friendly neighborhood Spider-Man!

  5. The Following User Says Thank You to SpiderManAPV For This Useful Post:

    Dphillipds (2015-04-22)

  6. #4
    Quote Originally Posted by TDH Advocate View Post
    Why has apple or the companies not been alerted yet?
    There is little Apple can do except for pull the 1500+ apps from the App Store.

    The problem is in the code used to make the applications, so this is 100% the fault of the developers for not updating to the latest framework available and continuing to use a legacy framework known to have issues.

  7. The Following User Says Thank You to Anthony Bouchard For This Useful Post:

    SpiderManAPV (2015-04-22)

  8. #5
    Apple could depreciate and then discontinue the affected framework thereby forcing the apps to update or die...

  9. The Following User Says Thank You to kyphur For This Useful Post:

    miketurbo123 (2015-04-22)

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •