Researchers have discovered that more than 1,500 popular applications carry a vulnerability that could allow man-in-the-middle attacks to snoop on their data. Your iPhone, or at least the apps on it, might not be as secure as you thought.
The vulnerability was caused by a bug in an older version of the AFNetworking tool used by many popular applications. It was introduced in January and fixed on March 26, but developers continue to use a compromised version of the tool.
Here’s how the researchers at SourceDNA who found the affected applications explained how they scoured the App Store and exactly what they discovered:
The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.
The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.
The number of affected applications has risen since that post was published. Ars Technica reports that some companies implicated in the post — Microsoft, Uber, and Yahoo, among others — have already fixed the bug in their apps.
It’s important to note that having an affected app installed doesn’t place an entire device at risk; it merely means that someone could execute a man-in-the-middle attack to gather information related to the applications themselves.
SourceDNA has released a tool that allows consumers and developers alike to search for specific applications to see if they’re vulnerable to attack. The company said it didn’t want to release an entire list of affected applications because that might encourage some hackers to exploit the vulnerability.
[illustration by Brad Jonas]