According to a report, around 1,000 iOS apps are affected by a weakness in their mobile security, making it easy for attackers to access encrypted data like passwords, bank account numbers, and home addresses as they are being sent over the airwaves from security firms SourceDNA. Companies including Microsoft, Uber, and Yahoo all released apps affected by the flaw – they have now fixed them, but many others still have not updated their apps to a new secure version.
Called AFNetworking, the code library was revealed to have a flaw in its implementation of SSL, the web security technology that allows sensitive data to be exchanged over the net. It was introduced in January and fixed in late March, but 1,000 apps are still running the vulnerable version. The affected apps all share the same code, available for free to help developers incorporate encryption into their programs.
An unknown number of apps running the vulnerable version will still be safe to use, however, since the flaw is only present if the app’s developers leave a specific setting unchanged from its default.
SourceDNA scanned all the free apps and the top 5,000 paid ones available on the iOS App Store to find apps that are still vulnerable. Out of the 1m-plus apps scanned, the firm found 100,000 which used AFNetworking; of those, 20,000 had been released since the vulnerability was introduced into the library.
“Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code,” the company writes. “The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw.
“Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. Microsoft, Uber, and Yahoo have since fixed their vulnerable apps, and users should update to the latest version, but Citrix, makers of a popular conference call software solution, remain vulnerable. It amazes us that an open-source library that introduced a security flaw for only six weeks exposed millions of users to attack.”
The company has created an online tool for developers to check if their own apps are vulnerable. Users can check whether they use an app that has been affected by entering the name of the apps’ publisher.
The AFNetworking vulnerability makes it easy for an attacker to crack a type of encryption called SSL. This is best known to most users as the technology that secures e-commerce transactions, typically marked with a padlock symbol in the browser bar. Still, it is increasingly widely used to protect user privacy against all sorts of attackers, from government eavesdroppers to identity thieves.
Without SSL or similar encryption, internet traffic can be intercepted through a “man-in-the-middle” attack, where an attacker routes traffic through their own computers to alter or steal it. A typical attack scenario would be against a customer browsing free Wi-Fi in a coffee shop. Still, there’s little technical difference between that and the systematic surveillance practiced by Western intelligence agencies.
Like the OpenSSL Heartbleed bug before it, which catastrophically broke millions of servers worldwide, the flaw in AFNetworking could raise questions about the longstanding assumption that open-source software (where the source code is public and can be reused freely) is inherently more secure. Despite the 100,000 apps using AFNetworking, the bug still took more than a month to be discovered.