1500 Apps for iPhones and iPads are vulnerable to Man-in-the-Middle (MiTM) attacks
If you are using an iPhone/iPad or iPod, you should be worried because security researchers have found that around 1,500 apps for iPhone and iPad contain an HTTPS vulnerability which can be exploited by hackers to perform man-in-the-middle (MiTM) attacks to steal passwords, bank details and other private user information.
The vulnerability in AFNetworking code library which lets hackers perform the MiTM attacks was uncovered by SourceDNA. Cult of Mac reports that the older AFNetworking code library version had the vulnerability and has been fixed in version 2.5.2 but several App developers have not updated their Apps, leaving them open to attack.
SourceDNA scanned around 1.4 million apps available on the Apple App Store and found out that around 1,500 Apps were not updated to the latest version of the AFNetworking code library. Though the number is quite small in ratio to the total Apps available on App store, even a single unpatched App could allow cyber criminals to mount a MiTM attack for malicious purpose.
Usually a fake secure socket layer certificate would be detected, causing the connection to be instantly dropped, but researchers found that due to a logic error in the code, a validation check is not carried out. This means that fraudulent certificates are trusted by apps running version 2.5.1 of AFNetworking.
“The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates,” the researchers wrote. “We tested the app on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention!”
Ars Technica reports that number of apps including Citrix OpenVoice Audio Conferencing, the Alibababa mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0 and Revo Restaurant Point of Sale were still using the vulnerable version of AFNetworking but most common Apps used by iPhone/iPad users and Apps from Microsoft, Yahoo and Uber were patched following a private disclosure to developers.