Dozens of iOS apps open to man-in-the-middle attack

At least 76 popular apps on Apple's iOS platform are vulnerable to attacks that could allow hackers to intercept and steal data without being noticed.

The vulnerability stems from misconfigured networking code that means the app will accept any digital secure sockets layer/transport layer security (SSL/TLS) certificate to establish an encrypted connection.

Attackers within wi-fi range of the device can exploit the network misconfiguration to trick apps to instead install their own certificate.

From there the attacker can obtain a man in the middle position on the network, and intercept and grab data being sent to and from the app.

The flaw could affect millions of users. Infosec expert and CEO of iOS security platform operator Sudo Security Group, Will Strafach, said the affected applications had been downloaded more than 18 million times. 

Strafach categorised 33 of the claimed 76 apps susceptible to man-in-the-middle attacks as low-risk, given the data vulnerable to intercept was only partially sensitive.

This list includes the likes of Huawei HiLink, which he said can leak device data, and Uconnect Access, which can leak usernames and passwords.

A further 40 apps were categorised by Strafach's team as at medium or high risk of man-in-the-middle attack.

These applications will remain unnamed until the end of a two or three- month responsible disclosure period to give developers time to fix the problems.

Apple is trying to push developers to secure their apps' data communications with HTTPS using the new app transport security (ATS) feature.

ATS will become mandatory for developers this year, but Strafach said the feature does not help in this case: attacker's certificates won't be blocked by ATS because they appear to be valid.

Strafach said there was little Apple could do to fix the problem. ATS allows apps to judge certificate validity; overriding this would make some apps less secure as they wouldn't be able to utilise certificate pinning for their connections.

"The onus rests solely on app developers themselves to ensure their apps are not vulnerable," he said.

Strafach noted that the risk of attack was greater when a user's device is connected to wi-fi.

"Cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the US)," he said.

He advised end users to only perform sensitive actions like personal banking while on a cellular connection.