There’s a vulnerability in 1,500 popular iPhone apps that allows attacks on your data



Researchers have discovered that more than 1,500 popular applications carry a vulnerability that could allow man-in-the-middle attacks to snoop on their data. Your iPhone, or at least the apps on it, might not be as secure as you thought.

The vulnerability was caused by a bug in an older version of the AFNetworking tool used by many popular applications. It was introduced in January and fixed on March 26, but developers continue to use a compromised version of the tool.

Here’s how the researchers at SourceDNA who found the affected applications explained how they scoured the App Store and exactly what they discovered:

The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.

The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.

The number of affected applications has risen since that post was published. Ars Technica reports that some companies implicated in the post — Microsoft, Uber, and Yahoo, among others — have already fixed the bug in their apps.

It’s important to note that having an affected app installed doesn’t place an entire device at risk; it merely means that someone could execute a man-in-the-middle attack to gather information related to the applications themselves.

SourceDNA has released a tool that allows consumers and developers alike to search for specific applications to see if they’re vulnerable to attack. The company said it didn’t want to release an entire list of affected applications because that might encourage some hackers to exploit the vulnerability.

[illustration by Brad Jonas]



The Internet of Things Exposes Users to Security Vulnerability


In January, we shared a somewhat facetious headline describing how hackers were using refrigerators and televisions to send malicious waves of spam mail, but the growing problem is a serious one for personal data as well. According to security research from Helwett Packard, 70 percent of devices commonly referred to as the Internet of Things (IoT) pose security threats.

These devices – which range from water sprinklers to refrigerators – can share private data like social security numbers, banking information, addresses, birth dates and sometimes even credit card information.

According to the security research team at Hewlett Packard, most IiT devices lack proper authentication and password protection:

An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device. A majority of devices along with their cloud and mobile components failed to require passwords of sufficient complexity and length with most allowing passwords such as “1234” or “123456”. In fact, many of the accounts we configured with weak passwords were also used on cloud websites as well as the product’s mobile application. A strong password policy is Security 101 and most solutions failed.

Further, most devices were not using encryption to hide personal data from hackers, they also lacked a secure web interface. The software/firmware used to control the devices were highly problematic even before installation:

Given that software is what makes these devices function, it was rather alarming that 60 percent of devices displayed issues including no encryption during downloading of the update along with the update files themselves not being protected in some manner. In fact some downloads were intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.

By the year 2020, the IoT is expected to rise to 22 billion devices, which will eclipse 7.3 billion smartphones. ”The fact is, that today, many categories of connected things in 2020 don’t yet exist. As product designers dream up ways to exploit the inherent connectivity that will be offered in intelligent products, we expect the variety of devices offered to explode,” said Peter Middleton, research director at Gartner. As costs decline, it will be easier to connect anything and everything to the Web, but it could mean a particularly dangerous time for personal data.

New Career Opportunities Daily: The best jobs in media.