HTTPS snooping flaw in third-party library affected 1,000 iOS apps with millions of users

The flaw in the AFNetworking library broke HTTPS certificate validation, enabling man-in-the-middle attacks

Apps used by millions of iPhone and iPad owners became vulnerable to snooping when a flaw was introduced into third-party code they used to establish HTTPS connections.

The flaw was located in an open-source library called AFNetworking that's used by hundreds of thousands of iOS and Mac OS X applications for communicating with Web services. The bug disabled the validation of digital certificates presented by servers when establishing secure HTTPS (HTTP over SSL/TLS) connections.

This means that attackers in a position to intercept encrypted traffic between affected applications and HTTPS servers could decrypt and modify the data by presenting the app with a fake certificate. This is known as a man-in-the-middle attack and can be launched over insecure wireless networks, by hacking into routers and through other methods.

The impact of the flaw for the iOS ecosystem was hard to gauge because the vulnerability only affected applications that used a particular version of AFNetworking -- 2.5.1 -- released on Feb. 9 and, of those, only the ones that relied on the library's SSL/TLS functionality.

The vulnerability was fixed in AFNetworking 2.5.2, released on March 26, so the flaw was active for a little over six weeks. How many iOS apps were updated to the vulnerable version in that time frame and how many of them used it for establishing HTTPS communications? A company called SourceDNA which tracks the use of third-party components in iOS and Android apps claims to have an answer.

There are over 100,000 iOS apps, out of the 1.4 million on the App Store, that use the AFNetworking library, the company said Monday in a blog post. Of those, around 20,000 had been updated or released during the time when the vulnerability existed.

SourceDNA created a signature for the vulnerable AFNetworking code and scanned those 20,000 apps to see how many of them had it. The scan showed that 55 percent used the older and safe 2.5.0 version of the library, another 40 percent were not using the library's vulnerable SSL/TLS API (application programming interface) at all, and 5 percent or around 1,000 apps were vulnerable.

One thousand vulnerable apps out of 100,000 might not sound too bad, but it actually is when taking into consideration that they included popular apps from high-profile vendors like Yahoo, Microsoft, Uber Technologies, Citrix and others.

"It amazes us that an open-source library that introduced a security flaw for only six weeks exposed millions of users to attack," SourceDNA said.

Some vendors, including Yahoo, have already patched their apps, but others remain vulnerable, so SourceDNA created a website that allows users to check if their installed apps are vulnerable.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftmobile securityCitrixYahooonline safetypatchesExploits / vulnerabilitiesUber TechnologiesSourceDNA

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?