Man-in-the-Middle diddle hits 25,000 iOS apps

Big banks' apps borked by silly certificate SNAFU

Some 25,000 iOS apps are exposed to man-in-the-middle attacks thanks to vulnerabilities in the popular AFNetworking library.

The now-fixed Secure Sockets Layer (SSL) bug is the latest found in the library which has been patched three times since March.

US firm SourceDNA says the flaw existed in code that was near a previous bug, and involved a failure to validate certificate domain names. This meant an attacker presenting any certificate could nab user traffic.

"This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the internet," the company says in an advisory.

"Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server, something you can buy for US$50.

"We were surprised to see this bug in (version) 2.5.2, and doubly so when we realised this issue had already been reported and fixed the day after the previous SSL flaw was fixed, but no one seemed to have noticed that it had been left out of the 2.5.2 release."

AFNetworking iOS developer Tamás Tímár fixed the hole in version 2.5.3.

SourceDNA's Searchlight app scanner reveals popular apps that are open to the vulnerability; these include Australia's Big Four banks, Bank of America, and Barclay's Bank Delaware.

The company recommends updating to the latest version and enabling certificate pinning for additional security. ®

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018