Dozens of iOS apps open to man-in-the-middle attack

By on
Dozens of iOS apps open to man-in-the-middle attack

Flaw lets attackers bypass Apple ATS security feature.

At least 76 popular apps on Apple's iOS platform are vulnerable to attacks that could allow hackers to intercept and steal data without being noticed.

The vulnerability stems from misconfigured networking code that means the app will accept any digital secure sockets layer/transport layer security (SSL/TLS) certificate to establish an encrypted connection.

Attackers within wi-fi range of the device can exploit the network misconfiguration to trick apps to instead install their own certificate.

From there the attacker can obtain a man in the middle position on the network, and intercept and grab data being sent to and from the app.

The flaw could affect millions of users. Infosec expert and CEO of iOS security platform operator Sudo Security Group, Will Strafach, said the affected applications had been downloaded more than 18 million times. 

Strafach categorised 33 of the claimed 76 apps susceptible to man-in-the-middle attacks as low-risk, given the data vulnerable to intercept was only partially sensitive.

This list includes the likes of Huawei HiLink, which he said can leak device data, and Uconnect Access, which can leak usernames and passwords.

A further 40 apps were categorised by Strafach's team as at medium or high risk of man-in-the-middle attack.

These applications will remain unnamed until the end of a two or three- month responsible disclosure period to give developers time to fix the problems.

Apple is trying to push developers to secure their apps' data communications with HTTPS using the new app transport security (ATS) feature.

ATS will become mandatory for developers this year, but Strafach said the feature does not help in this case: attacker's certificates won't be blocked by ATS because they appear to be valid.

Strafach said there was little Apple could do to fix the problem. ATS allows apps to judge certificate validity; overriding this would make some apps less secure as they wouldn't be able to utilise certificate pinning for their connections.

"The onus rests solely on app developers themselves to ensure their apps are not vulnerable," he said.

Strafach noted that the risk of attack was greater when a user's device is connected to wi-fi.

"Cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the US)," he said.

He advised end users to only perform sensitive actions like personal banking while on a cellular connection.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
attack ios man in the middle mitm security
In Partnership With

Most Read Articles

The CIO movements that made headlines in 2018

The CIO movements that made headlines in 2018
Atlassian admits it did Kubernetes 'the hard way'

Atlassian admits it did Kubernetes 'the hard way'
Defence finally reveals new providers for mammoth IT support deal

Defence finally reveals new providers for mammoth IT support deal
NBN Co makes move to sell more 100Mbps-plus services

NBN Co makes move to sell more 100Mbps-plus services
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Automate and secure IOT for Business
Automate and secure IOT for Business
Data Science and AI Solutions for Cybersecurity
Data Science and AI Solutions for Cybersecurity
Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider

Events

Log In

Username / Email:
Password:
  |  Forgot your password?