‘Many popular iOS apps don’t encrypt network traffic’

A German security researcher and former Apple employee has looked at the security of Germany’s 200 most popular iOS apps. He states that 111 apps do not encrypt their network traffic, among other things.

The researcher, Thomas Jansen, shared his findings with the German newspaper Die Zeit. For example, because the apps do not use an encrypted connection or adequately verify the associated certificates, an attacker with a man-in-the-middle position on a wireless network could intercept data. For example, he could get his hands on logins or other sensitive data. So far, Jansen has reported 51 unsafe apps to 24 developers, of which 16 responded and 5 provided a fix.

Linus Neumann of the German Chaos Computer Club has reviewed Jansen’s findings and tells the newspaper that “there are no longer any arguments for sending plaintext these days.” Apple has not commented on the findings. The company originally wanted to require developers to use App Transport Security by January 1, this year, but postponed this deadline to an unknown date.

The security feature was introduced in iOS 9 and aims to ensure a secure https connection between an app and its backend. Apple states that this should be applied in all cases, but there are exceptions. Sometimes an app needs to connect to an unsecured domain, for example from a cdn. In that case, the developer must specifically capture that domain.