We recently reported about hundreds of Android apps that are exposing secret keys and tokens due to bad coding practices.
Now, it looks like it’s not just Android apps that are susceptible to coding issues that put app users in danger. Official iOS apps can also be exploited due to code misconfigurations that can lead to more serious problems.
A recent blog post by Sudo Security Group’s chief executive Will Strafach revealed a number of popular iPhone apps that are susceptible to silent man-in-the-middle attacks that can steal encrypted data.
According to the post, these 76 iOS apps, which include popular messenger, banking and IP cam apps, have a combined total of 18 million downloads.
The exploit lies in how some apps have network misconfigurations that allow them to accept any security certificates, regardless if they’re valid or not.
This vulnerability can allow a hacker to trick an app into accepting a fake certificate that can be used for silent interception of encrypted data. Even iOS’s built-in app security feature, App Transport Security, will accept the fake certificate since it sees the connection as valid.
Strafach explained that this attack can be launched by anyone within Wi-Fi range of your iPhone while it’s in use. This includes public spaces or within your home if an attacker is within range. He also said users of the affected apps are safer when using cellular connections instead of Wi-Fi.
He clarifies that it’s all up to the developers of said apps to fix the problem since there’s no possible fix that Apple can do on its side. If Apple issues a widespread fix to patch the hole, it could make all iPhone and iPad apps less secure.
“Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable,” he said.
For 33 of these apps, the vulnerability is considered low risk. The potential data interceptions for these apps only include partially sensitive data like analytics data (OS version, iPhone model, Carrier, search queries, etc.), email addresses, phone numbers and login credentials for specific services entered on “non-hostile” networks.
Here’s a list of the low-risk apps. As you can see, some of these are apps that you may be familiar with.
- ooVoo — Free Video Call, Text and Voice
- VivaVideo — Free Video Editor & Photo Movie Maker
- Snap Upload for Snapchat — Send Photos & Videos
- Uconnect Access
- Volify — Free Online Music Streamer & MP3 Player
- Uploader Free for Snapchat — Quick Upload Snap from Camera Roll
- Epic! — Unlimited Books for Kids
- Mico — Chat, Meet New People
- Safe Up for Snapchat — Quick Upload photos and videos from your camera roll
- Tencent Cloud
- Uploader for Snapchat — Quick Upload Pics & Videos to Snapchat
- Huawei HiLink (Mobile WiFi)
- VICE News
- Trading 212 Forex & Stocks
- CashApp — Cash Rewards App
- [Clone of legitimate service] (Removed from App Store as of Feb. 7, 2017)
- 1000 Friends for Snapchat — Get More Friends & Followers for Snapchat
- YeeCall Messenger-Free Video Call&Conference Call
- InstaRepost — Repost Videos & Photos for Instagram Free Whiz App
- Loops Live
- Private Browser — Anonymous VPN Proxy Browser
- Cheetah Browser
- AMAN BANK
- FirstBank PR Mobile Banking
- vpn free — OvpnSpider for vpngate
- Gift Saga — Free Gift Card & Cash Rewards
- Vpn One Click Professional
- Music tube — free imusic playlists from Youtube
- AutoLotto: Powerball, MegaMillions Lottery Tickets
- Foscam IP Camera Viewer by OWLR for Foscam IP Cams
- Code Scanner by ScanLife: QR and Barcode Reader
Twenty-four of the iOS apps have vulnerabilities that are considered medium risk. Medium risk means login credentials and session authentication tokens for users can be intercepted.
Nineteen of the apps have high-risk vulnerabilities and can leak sensitive data like financial or medical service login credentials and session authentication tokens for users.
Due to the potential security issues of these vulnerabilities, the medium and high-risk apps were not posted publicly as of yet.
According to the post, the team has reached out to the “affected banks, medical providers, and other developers of sensitive applications, which are vulnerable.” The medium/high-risk apps will be revealed within 60 to 90 days.
This is in line with the standard “responsible disclosure” period that gives developers time to fix vulnerabilities before they are published publicly.
What you can do
Since this vulnerability can only be exploited if you are connected to Wi-Fi, Strafach suggested that you toggle your iPhone’s Wi-Fi switch to off when performing confidential tasks like online banking in public places. He said that while cellular connections can still be attacked, cellular data interception is harder to pull off.
“While on a cellular connection the vulnerability does still exist, cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the United States),” Stratfach explained. “Therefore, it is much less plausable (sic) for an attacker to risk attempting to intercept a cellular data connection.”
He also advised developers to be careful in implementing network-related code in their mobile apps. Problems like this stem from “borrowed code” from the web that application developers may not grasp entirely.
To read Strafach’s blog post and details about this vulnerability, click here.