iOS Apps Vulnerable to SSL Flaw

Friday, April 24, 2015 @ 05:04 PM gHale


A bug in an older version of a widely used networking library for iOS and OS X can end up exploited to decrypt the secure traffic from almost 1,000 iOS apps, allowing an attacker access to vital user information.

Build 2.5.1 of open source AFNetworking ended up affected by a security vulnerability that disables SSL (secure sockets layer) certificate validation, permitting someone to intercept the connection and read the encrypted information in plain text.

RELATED STORIES
Attack Trend: Fileless Malware
Ransomware Focuses on Outdated Plug-Ins
Malware Goes Invisible
New Ransomware Hits the Street

The security flaw ended up patched in late March, but not all developers integrated the updated code into their apps, leaving their users exposed, especially those using the older versions.

Research from analytics firm SourceDNA created fingerprints for tracking down the free apps that contain AFNetworking 2.5.1 and discovered about 1,000 products did not move to the safer version of the library.

The faulty release of AFNetworking is included in software from major developers, such as Yahoo (Yahoo Finance 2.3.2) and Microsoft (OneDrive 5.1).

Their apps, however, updated to new versions that rely on a secure variant of the networking library, so users should simply install the latest revision.

On the other hand, there are other developers who have not made the switch and whose users may become victims. Two of them are Alibaba.com (build 3.3.2 and 3.3.3) and Citrix (OpenVoice Audio Conferencing 1.4.0 and 1.5.1).

To help users and developers identify the hazardous products, SourceDNA released a service that checks if the apps from a developer are vulnerable.

According to SourceDNA, the number of users impacted amounts to millions. Developers have started to address the risk and released updates for their products, so clients should be able to install the new, risk-free revisions.



Leave a Reply

You must be logged in to post a comment.