Man-in-the-Middle diddle hits 25,000 iOS apps
Big banks' apps borked by silly certificate SNAFU
Some 25,000 iOS apps are exposed to man-in-the-middle attacks thanks to vulnerabilities in the popular AFNetworking library.
The now-fixed Secure Sockets Layer (SSL) bug is the latest found in the library which has been patched three times since March.
US firm SourceDNA says the flaw existed in code that was near a previous bug, and involved a failure to validate certificate domain names. This meant an attacker presenting any certificate could nab user traffic.
"This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the internet," the company says in an advisory.
"Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server, something you can buy for US$50.
"We were surprised to see this bug in (version) 2.5.2, and doubly so when we realised this issue had already been reported and fixed the day after the previous SSL flaw was fixed, but no one seemed to have noticed that it had been left out of the 2.5.2 release."
AFNetworking iOS developer Tamás Tímár fixed the hole in version 2.5.3.
The company recommends updating to the latest version and enabling certificate pinning for additional security. ®