Code audit finds over 25,000 vulnerable apps in iTunes

A serious flaw in the traffic encryption and session validation component of the open source framework used by many iOS developers for their apps sold on iTunes could leave thousands of users' traffic open to eavesdropping.

SourceDNA found that the AFNetworking framework for Apple iOS and OS X operating systems does not default to checking domain names for TLS/SSL (Transport Layer Security/Secure Sockets Layer) sessions in version 2.5.2 and prior.

All an attacker needed to do to exploit the flaw, SourceDNA said, was to obtain a cheap, legitimate SSL certificate for a web server to intercept user communications sessions that appear to be secured, by pretending to be any domain as the name is not validated.

Currently, over 25,000 apps in the Apple iTunes store use a vulnerable version of AFNetworking.

Using certificate pinning - a technique that tells browsers only to accept specific certificates - would enable domain validation. However, SourceDNA noted that few iOS developers turn on certificate pinning, and recommended that the technique is used more frequently for additional security.

SourceDNA had earlier discovered through a code audit that AFNetworking would accept self-signed SSL certificates, meaning anyone could create these and present them as being legitimate to users - a scenario SourceDNA called "game over" as it could lead to widespread breaking of SSL security.

Versions 2.5.3 of AFNetworking contain a bug fix for the lack of SSL certificate domain name validation.

The security vendor encouraged developers to track their source code to ensure that the components used are the most recent with security fixes applied.