iOS app security is compromised by critical bug

1,500 iOS apps have this serious security flaw. Find out if your iPhone’s at risk.


Next time you're rock climbing or engaging in some other crazy adventure with your iPhone, be sure to take along this sweet leash system from Kenu. The Highline Security Leash starts with a protective, texturized polycarbonate iPhone case that's thin enough to put in your pocket but tough enough to protect from random damage.

The killer feature here, though, is the bungee-cord leash, which solidly locks into your iPhone's Lightning port as well as a notch in the back of the case, making for a secure connection. There's a version for the iPhone 6 ($29.95) and a stronger one for iPhone 6 Plus ($34.95), so you know your lifeline device will always stick nearby, letting you feel secure as you whip it out while skiing down a crazy slope this winter. — Rob LeFebvre

Photo: Rob LeFebvre/Cult of Mac

Buy from: Amazon
Is your iPhone running compromised apps? Photo: Rob LeFebvre/Cult of Mac

A serious security flaw affecting approximately 1,500 iOS apps makes them vulnerable to hackers looking to swipe passwords, bank account info and other sensitive data, according to a new report.

The bug, which security analytics firm SourceDNA identified last month, has been fixed in an update to the open-source code that contained the vulnerability. However, some app makers have not yet updated to the newer version.

Luckily, you can search to see if your favorite apps are vulnerable.

The bug appeared in a version of AFNetworking, “an open-source code library that allows developers to drop networking capabilities into their apps,” that was released in January, according to Ars Technica. The vulnerability allowed man-in-the-middle attacks that could give hackers access to data encrypted by HTTPS, a widely used internet security protocol.

Here’s Ars Technica’s description of how the attack would work in apps running version 2.5.1 of AFNetworking:

To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.

After identifying the flawed code, SourceDNA scanned and analyzed all 1.4 million titles in the App Store to see what apps remain vulnerable to the bug. While a relative few contain the compromised source code, some — including popular app Movies by Flixster, with Rotten Tomatoes — reportedly remained vulnerable as of Monday.

You can search SourceDNA’s iOS Security Report to see if any apps you use are vulnerable to this major security flaw.