Popular iOS apps vulnerable to spilling your sensitive data


iPhone 7 front
Be wary when using Wi-Fi.
Photo: Ste Smith/Cult of Mac

Dozens of popular iOS apps are vulnerable to spilling your sensitive data through silent “man-in-the-middle” attacks, according to a reliable mobile security expert.

During testing, Will Strafach, one of the first to hack open the iOS platform, found 76 apps that were guilty of accepting invalid certificates that could be used to intercept data.

Strafach is now the CEO of Sudo Security Group, a company that specializes in enterprise security solutions for iOS. While developing the firm’s latest tool, an app analysis service, Strafach scanned the code of iOS apps “en-masse” to research common issues.

He stumbled upon “hundreds” of iOS apps that have a high likelihood of vulnerability to data interception. With further testing, Strafach has confirmed that 76 of them could be hacked using an invalid TLS certificate.

Some of the apps that are vulnerable but pose a low risk to end users if their data is intercepted are Snap Upload for Snapchat, VICE News, Trading 212 Forex & Stocks, Private Browser, Cheetah Browser, and Code Scanner by ScanLife.

Strafach also identified vulnerable apps that post a medium or high risk to end users, but he is giving their developers an opportunity to fix them before posting the list in 60 to 90 days.

What’s worrying about these vulnerabilities is that they are blocked by the App Transport Security feature that’s baked into iOS. Furthermore, “this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use,” Strafach says.

“This can be anywhere in public, or even within your home if an attacker can get within close range. Such an attack can be conducted using either custom hardware, or a slighly [sic] modified mobile phone, depending on the required range and capabilities.”

In the past, the same vulnerability has been identified in iOS apps from Exsperian, Trend Micro, Citrix, Dell, Kaspersky, and PayPal. However, it is believed these issues have now been addressed and none of these apps are vulnerable today.

Only app developers can solve this problem; there’s nothing Apple can do on its side to patch the holes. However, Strafach says it’s easy to avoid an attack by simply using a cellular connection instead of Wi-Fi when using a vulnerable app.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.