A serious security flaw affecting approximately 1,500 iOS apps makes them vulnerable to hackers looking to swipe passwords, bank account info and other sensitive data, according to a new report.
The bug, which security analytics firm SourceDNA identified last month, has been fixed in an update to the open-source code that contained the vulnerability. However, some app makers have not yet updated to the newer version.
Luckily, you can search to see if your favorite apps are vulnerable.
The bug appeared in a version of AFNetworking, “an open-source code library that allows developers to drop networking capabilities into their apps,” that was released in January, according to Ars Technica. The vulnerability allowed man-in-the-middle attacks that could give hackers access to data encrypted by HTTPS, a widely used internet security protocol.
Here’s Ars Technica’s description of how the attack would work in apps running version 2.5.1 of AFNetworking:
To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.
After identifying the flawed code, SourceDNA scanned and analyzed all 1.4 million titles in the App Store to see what apps remain vulnerable to the bug. While a relative few contain the compromised source code, some — including popular app Movies by Flixster, with Rotten Tomatoes — reportedly remained vulnerable as of Monday.
You can search SourceDNA’s iOS Security Report to see if any apps you use are vulnerable to this major security flaw.
Lewis Wallace is the managing editor of Cult of Mac and author of our weekly newsletter, The Weekender.
He’s a San Francisco-based writer and editor specializing in technology and culture. He loves his iPhone, hates Siri, and appreciates any hardware that combines form and function.
Prior to Cult of Mac, he juggled words and ideas as culture editor at Wired.com, homepage editor at TechTV, news product manager at NBCi, copy editor at PC World, reporter at The (Hayward) Daily Review and editor in chief of EveryBody’s News in Cincinnati.
He earned a bachelor of general studies degree with a journalism certificate from the University of Cincinnati. While in school, he worked as the entertainment editor of The News Record and as editor in chief of Clifton Magazine.
He’s also a bass player, who’s recorded and performed around the United States with Those Darn Accordions, The Electric Boogie Dawgz and The Mad Maggies. When not writing, editing or laying down bass lines, he plays darts and serves on the board of the San Francisco Darts League.
10 responses to “1,500 iOS apps have this serious security flaw. Find out if your iPhone’s at risk.”
|
The link you posted requires one to input the name of the developer….I have over 200 apps on my phone, i don’t think i will be inputting (after researching) the names of all the (potential) 200 developers!
I’m with you. This is a silly way to check for apps. And they want an email address to let us know what apps will get patched? Seriously? Not gonna do it.
“…attackers on a coffee shop Wi-Fi network or in another position to monitor the connection…”
So if I never use my wi-fi on my phone i’m good?
impossible! Apple doesn’t have problems….well that s what the loyal fanboys say.
What a silly post. Every company, every product and every operating system has problems. Every •human• has problems. What’s your anti-Apple point? If you’re suggesting that “loyal fanboys” (redundant) would blindly support defective products regardless of the severity of the problems, you’re just popping off large for no reason.
I don’t have an “anti-apple” point. I like Apple…I also like MS…I even like Android. I am more mocking the company. They have a long history of being insulting to customers when they report problems like when Steve Jobs got visibly angry when someone suggested there might be an antenna issue or the time you could see the glue behind the screen. There is also a group that would like to convince people that Apple doesn’t have the problems MS has. I am a fanboy of none nor do I drink the cool-aid of the (obviously brilliant) marketers or the Apple controlled media..
Man the flawed code is an open source library that is widely use by many app developers. Apple has nothing to do with it at all. Read the whole darn story before you react.
“1,500 iOS apps have this serious security flaw. Find out if your iPhone’s at risk.”
A serious flaw? Perhaps someone on an open (read: coffee-shop network) •could• be compromised •if• they happen to launch one of the 1500 unnamed apps, and •if• at that very moment someone was trying to get access to their phone. But the likelihood of such an event doesn’t come close to this being a serious security flaw. Pretty click-bait-ish.
Appreciate the heads-up, however.
The flawed code is an open source library that is widely use by many app developers. Apple has nothing to do with it at all.