Over 70 iOS apps were discovered to be vulnerable to having the data that they were sending out intercepted by hackers.
Known as man-in-the-middle attacks, hackers would be able to steal potentially sensitive data from the apps, which collectively have been downloaded more than 18 million times from Apple's App Store.
Vulnerable iOS Apps Discovered By Sudo Security
The vulnerable iOS apps were discovered by Sudo Security in a bulk analysis conducted by the company's verifly.ly service, which performs bulk static analysis on application binaries.
The discovery was revealed by Sudo Security President Will Strafach though a Medium post, wherein he claimed that there were 76 iOS apps that allowed for a silent man-in-the-middle attack to be launched on connections that should have TLS protection. As such, hackers would be able to intercept data being sent through by these apps.
In addition to the collective downloads of the affected apps reaching more than 18 million, Strafach noted how dangerous the apps are based on the risk of the discovered vulnerability.
Strafach said that 33 of the apps were considered as low risk, with the classification given based on the fact that the data that is vulnerable to being intercepted in a man-in-the-middle attack only include partially sensitive analytics data regarding the user's devices, partially sensitive personal data of the user, and log-in credentials that can only be used within a non-hostile network.
Of the discovered vulnerable apps, 24 were said to be at medium risk, as hackers would be able to intercept log-in credentials and session authentication tokens, allowing them to use the information to access the apps as if they were the victim.
The remaining 19 apps were said to be at high risk, as their vulnerability would allow hackers to intercept log-in credentials and session authentication tokens related to medical or financial services, which could severely affect the victim.
Should Apple Be Blamed For The Vulnerabilities?
Apple has pushed developers to implement stricter security measures on apps created for the iOS platform, so it is concerning to see that there are some popular apps that could possibly place the medical and financial information of users at risk.
Strafach noted that the App Transport Security feature of Apple's iOS will not be able to address the vulnerability, as the certificate that will be used by the attacker in an attempt to intercept data will be seen as a valid encrypted connection.
Strafach added that the onus on addressing the vulnerability does not fall on Apple but rather on the developers of the affected apps. Developers should be very careful in using network-related code into their apps to prevent such vulnerabilities from arising.
Users, meanwhile, are also recommended to switch off the Wi-Fi toggle of their iOS devices when trying to access sensitive information while in public, as it is much easier for attackers to exploit public Wi-Fi networks.
The apps that fell in the medium-risk and high-risk categories have not been named, as the developers have been given up to 90 days to fix the problem before the affected apps are revealed.