Pinterest Stumbleupon Whatsapp
Ads by Google

SourceDNA, a code analytics platform which audits Android and iOS apps, recently released a report indicating that more than 1,000 iOS apps have a serious security vulnerability that could compromise a user’s financial details.

The bug prevents the apps from correctly authenticating SSL certificates What Is an SSL Certificate, and Do You Need One? What Is an SSL Certificate, and Do You Need One? Browsing the Internet can be scary when personal information is involved. Read More , opening the apps up to a number of man-in-the-middle attacks. While this app doesn’t affect the security of iOS itself Smartphone Security: Can iPhones Get Malware? Smartphone Security: Can iPhones Get Malware? Malware affecting "thousands" of iPhones can steal App Store credentials, but the majority of iOS users are perfectly safe – so what's the deal with iOS and rogue software? Read More , it could compromise user data transmitted through affected apps…

A Simple Bug That Breaks SSL

iphonefront

The bug in question is in the AFNetworking package, a popular open-source networking solution used in thousands of App Store apps. The bug is a simple logic error that stops the SSL check from actually taking place, returning all certificate checks as valid. This isn’t a massive security disaster like HeartBleed Heartbleed – What Can You Do To Stay Safe? Heartbleed – What Can You Do To Stay Safe? Read More or ShellShock Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Read More – but it is a problem if you use an app that contains the bug. Luckily, the bug existed for only about six weeks, added in 2.5.1, and fixed in 2.5.2. You might reasonably assume that is the end of the story.

Unfortunately, no.

Sadly, many developers do not actively keep their apps up to date with bug fixes, and there are a bunch of apps which are still using the broken version of AFNetworking, despite the availability of a patch. SourceDNA analyzed 20,000 apps which contain versions of the AFNetworking package, and determined that about 1,000 are still using the broken SSL check.

Ads by Google

iphoneback

 

SourceDNA was able to perform this check by using analytics tools which make it possible to analyze the binary files of thousands of apps. Their technology lets them identify not just which libraries these apps were compiled with, but which versions of those libraries. As it turns out, this is incredibly useful for identifying which apps may be impacted by known bugs and vulnerabilities. According to the paper released,

“SourceDNA created a differential fingerprint from them to find the vulnerable code. Think of this as a set of unique characteristics that were present or absent only in the targeted version and not any others before or after it. With this set of signatures, our analysis engine would tell us exactly which version of AFNetworking was in use in each app. “

Many of the affected apps store and transmit user credit card data, including the Alibaba.com mobile app, KYBankAgent 3.0, and Revo Restaurant Point of Sale. Several million users have a vulnerable app installed on their iOS device – an astonishing amount of exposure from such a brief bug.

“5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.”

Assessing The Impact of the AFNetworking Bug

How bad is this vulnerability? The bug allows attackers to fool apps into thinking that they’re communicating over a secure connection with a trusted server. If you’re using a vulnerable app, anyone on the same WiFi network as you can set up a man-in-the-middle attack What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More and intercept info from the apps, including sensitive data like credit card information. This information could then be used to facilitate identity theft 6 Warning Signs Of Digital Identity Theft You Shouldn't Ignore 6 Warning Signs Of Digital Identity Theft You Shouldn't Ignore Identity theft isn't too rare of an occurrence these days, yet we often fall into the trap of thinking that it'll always happen to "someone else". Don't ignore the warning signs. Read More and other forms of fraud. Potentially, this kind of attack could be automated to target popular apps.

081203-N-2147L-390

A number of companies have rushed out updates and fixes since the news broke, including Microsoft and Yahoo. Most of the apps, though, remain unpatched. To see if the apps you use are affected, you can use the SourceDNA search tool. If you discover that one of your apps is still vulnerable, the safest strategy is to delete it temporarily, and message the developers asking them to put out a patch as soon as possible.

SourceDNA is a clever tool, and this demonstrates that their technology is genuinely useful. Computer security is hard, and a tool that can automate the process of looking for unpatched bugs – with or without developer cooperation – is a huge win for user security. Without this kind of checking, this widespread bug would have persisted, probably for quite a long time. This kind of analysis enables mass public shaming that makes developers much more accountable, and it seems likely that SourceDNA will uncover further undetected and unsolved problems.

Is your iOS device affected by the AFNetworking bug? Are you excited by these new analytics tools? Let us know in the comments!

Image credits: “US Navy Cyberwarfare,” “iPhone front, “iPhone camera“, by Wikimedia

  1. sean
    May 15, 2015 at 6:16 pm

    is that jim from the office in the picture?!

  2. Sylvester Johnson
    April 30, 2015 at 3:30 am

    Hmm... I guess customer service has went out the window! I use basically all of my apps. To be considered lazy is as asinine as the person who flaunted the statement

    Security is important to me and that is why I update my IOS as quickly as possible. I am assured that Apple would want a person to be a washed in the glow of their security!! So, lazy, no! Secure conscience yes! I expect Apple to resolve this expeditiously.

    • R. Boyd
      May 2, 2015 at 6:10 pm

      I agree!

  3. Jonathan
    April 29, 2015 at 7:15 pm

    Lazy people. Just check the apps you have installed. If you have too many apps... maybe time to DELETE some.

    This online checker works great. Appreciate the heads up.
    Thank you.

  4. Teresa
    April 28, 2015 at 11:44 am

    I agree with the commenters above. Is there a better way?

  5. Mary Beth Blackmon
    April 28, 2015 at 3:40 am

    Same as TheLip. Can't do that simpl or easily--

  6. TheLip
    April 26, 2015 at 9:30 pm

    So the link takes me to "Look up an iTunes developer account to get a report on the latest security issues affecting the apps (including the recent AFNetworking SSL flaws)"
    and a text box for iTunes Developer Name.

    this means I have to look up the developer of every app I have installed on my iPhone,
    It would have been a lot more usefull to have an app I could run on the iPhone itself.

    • Anonymous
      April 27, 2015 at 2:19 pm

      Agreed

Leave a Reply

Your email address will not be published. Required fields are marked *