1,500 iOS Apps With AFNetworking Flaw Making Your iPhone And iPad Prone To Hacking

Some 1,500 iOS apps, including popular apps from Microsoft, Yahoo, and Uber, are vulnerable to snooping by hackers exploiting a security flaw in the code used by these apps.

The flaw was found in the open-source AFNetworking code library, which has been fixed late last month six weeks after it was discovered by cybersecurity researchers at SourceDNA. However, while the security hole has already been patched, many app developers still have not updated their apps to reflect version 2.5.2 of AFNetworking, which fixes the flaw.

SourceDNA says version 2.5.1 of the code library contained a bug that allowed hackers to bypass digital certificate validation over encrypted connections. This means hackers can easily launch man-in-the-middle attacks over insecure wireless networks to present fake digital certificates and gain access to a user's private and sensitive information stored in the app.

"Due to lack of SSL certificate validation, the proverbial coffee shop attacker could easily bypass SSL and see all your app's user credentials and banking data," says SourceDNA.

Out of the 1.4 million apps on the Apple App Store, the cybersecurity firm says around 100,000 apps use AFNetworking. However, not all of them are vulnerable to third-party attacks. After scanning for the vulnerability, SourceDNA says more than half, or 55 percent, of the 100,000 apps use AFNetworking 2.5.0, which does not have the bug that makes the newer version vulnerable.

Another 40 percent of the apps do not use the code library's SSL API, which leaves the remaining 5 percent, or some 1,500, of apps vulnerable. That number may seem insignificant, given the number of apps available in the App Store, but the affected apps include prominent players, such as OneDrive by Microsoft, Yahoo Finance, and Uber's ride-sharing app.

As of Tuesday afternoon, SourceDNA says the developers have yet to issue a fix for their iOS apps, despite AFNetworking 2.5.2 having been released nearly a month ago.

"It amazes us that an open-source library that introduced a security flaw for only six weeks exposed millions of users to attack," SourceDNA says.

The cybersecurity firm says it has a list of affected apps and has developed a service that allows developers to check if their apps are vulnerable. The service does not provide an entire list of apps, however. It requires developers to input specific app names or developers and asks for email addresses, which could turn off average users wanting to check multiple apps.

Photo: Kārlis Dambrāns | Flickr

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics