A serious security flaw affecting approximately 1,500 iOS apps makes them vulnerable to hackers looking to swipe passwords, bank account info and other sensitive data, according to a new report.
The bug, which security analytics firm SourceDNA identified last month, has been fixed in an update to the open-source code that contained the vulnerability. However, some app makers have not yet updated to the newer version.
Luckily, you can search to see if your favorite apps are vulnerable.
The bug appeared in a version of AFNetworking, “an open-source code library that allows developers to drop networking capabilities into their apps,” that was released in January, according to Ars Technica. The vulnerability allowed man-in-the-middle attacks that could give hackers access to data encrypted by HTTPS, a widely used internet security protocol.
Here’s Ars Technica’s description of how the attack would work in apps running version 2.5.1 of AFNetworking:
To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.
After identifying the flawed code, SourceDNA scanned and analyzed all 1.4 million titles in the App Store to see what apps remain vulnerable to the bug. While a relative few contain the compromised source code, some — including popular app Movies by Flixster, with Rotten Tomatoes — reportedly remained vulnerable as of Monday.
You can search SourceDNA’s iOS Security Report to see if any apps you use are vulnerable to this major security flaw.