Approximately two million people have installed vulnerable apps.
Roughly 1500 apps iPhone and iPad apps contain a vulnerability that allows cyber criminals to intercept passwords, account information and other personal information. An estimated two million people have installed affected apps, according to research published this week by SouceDNA.
According to Ars Technica, the security flaw impacts HTTPS and lies in an out-of-date version of AFNetworking, an open-source code library that developers use to push out networking capabilities into their apps. Although the most recent version of AFNetworking patches the flaw, the 1,500 iOS apps remain vulnerable because they still use an older version.
In order to exploit the bug, cyber attackers on any public network – like a coffee shop, for instance – would need only to present a vulnerable device with a fraudulent secure sockets layer certificate. Normally, the certificate immediately would be flagged as counterfeit and the connection dropped. However, code in the vulnerable apps contain a logic error which causes the validation check to never be carried out, so fraudulent certificates are fully trusted.
“We tested the app on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention,” security researchers Simone Bovi and Mauro Gentile wrote in a blog post.
Fortunately, the security breakdown on affected apps is not system wide. Only data sent through a vulnerable app is at risk of interception. SourceDNA has provided a search tool, so you can see if your favorite app is affected. If so, contact the app developer to find out when, or if, a patch will be released.