‘Large number of iOS apps contain https vulnerability’

Many popular apps for iPhones and iPads contain a vulnerability in the implementation of https. This would make it easy to tap SSL traffic on insecure networks. The apps are vulnerable due to the use of an old version of AFNetworking.

The SourceDNA company found a way to monitor the use of AFNetworking with iOS apps and found that 1000 apps were vulnerable, including apps from Yahoo, Microsoft, Uber and Citrix. The company has put a search engine online that allows users to check which apps are vulnerable.

AFNetworking is an open source code library that many developers use for network functionality of their apps. Version 2.5.1 of the library, which was released February 12, had a bug that prevented validation of SSL certificates. Version 2.5.2 fixed the problem, but in the meantime many apps were updated and by no means all apps implemented the version that did not contain the bug.

SourceDNA fingerprinted the versions of AFNetworking before, during, and after the vulnerability. The company matched it with the binary code of 20,000 iOS apps that were released or updated during the AFNetworking period. The results were that 55 percent still contained the old, secure 2.5.0 code, 40 percent did not have the vulnerable SSL API and 5 percent were vulnerable.

When people with iPhone or iPad use vulnerable apps on a network controlled by a malicious party, traffic that should be encrypted can be intercepted, potentially putting logins and passwords in the wrong hands. “We’re surprised that an open source code library that suffered a vulnerability for six weeks exposed millions of people to attacks,” reports SourceDNA.