Some 1,500 iOS apps exposed to serious HTTPS vulnerability, analytics firm says
Approximately 1,500 iOS apps are exposed to a vulnerability that could let a hacker bypass HTTPS security and steal passwords and other sensitive data, according to research released on Monday.
Analytics firm SourceDNA said the problem traces back to AFNetworking, an open-source code library many apps use for networking functions. Version 2.5.1, released in January, accidentally introduced a bug which could let someone on the same Wi-Fi network -- or otherwise able to monitor a connection -- present a fake SSL certificate and successfully decrypt HTTPS data.
The glitch causes AFNetworking to simply skip a validation check. The issue was first noted by ArsTechnica.
The problem was solved with a v2.5.2 update three weeks ago, but many iOS apps are still using the old code, including some prominent titles like Alibaba, Uber, Movies by Flixster, and Citrix OpenVoice Audio Conferencing.
The number of exposed apps could exceed 1,500. SourceDNA said it analyzed 1 million of the 1.4 million titles in the App Store, including all free titles, but only the top 5,000 paid ones. Affected apps were not only using an outdated version of AFNetworking but failing to use certificate pinning, which allows only a specific certificate for HTTPS. Pinning is off by default in AFNetworking.
Before coming to a final tally SourceDNA contacted developers privately, allowing some of them to fix the issue. Major companies like Uber, Yahoo, and Microsoft are said to have made app changes, although some of their apps are still exposed. A web-based search tool can be used to learn if an app is vulnerable or has already been patched.
Late last week, security researcher Patrick Wardle wrote that OS X 10.10.3 has failed to completely fix RootPipe, a flaw that could allow Mac software to gain root access without authenticating. Wardle said that he is deliberately withholding details from the public for safety's sake, but has already notified Apple.
Analytics firm SourceDNA said the problem traces back to AFNetworking, an open-source code library many apps use for networking functions. Version 2.5.1, released in January, accidentally introduced a bug which could let someone on the same Wi-Fi network -- or otherwise able to monitor a connection -- present a fake SSL certificate and successfully decrypt HTTPS data.
The glitch causes AFNetworking to simply skip a validation check. The issue was first noted by ArsTechnica.
The problem was solved with a v2.5.2 update three weeks ago, but many iOS apps are still using the old code, including some prominent titles like Alibaba, Uber, Movies by Flixster, and Citrix OpenVoice Audio Conferencing.
The number of exposed apps could exceed 1,500. SourceDNA said it analyzed 1 million of the 1.4 million titles in the App Store, including all free titles, but only the top 5,000 paid ones. Affected apps were not only using an outdated version of AFNetworking but failing to use certificate pinning, which allows only a specific certificate for HTTPS. Pinning is off by default in AFNetworking.
Before coming to a final tally SourceDNA contacted developers privately, allowing some of them to fix the issue. Major companies like Uber, Yahoo, and Microsoft are said to have made app changes, although some of their apps are still exposed. A web-based search tool can be used to learn if an app is vulnerable or has already been patched.
Late last week, security researcher Patrick Wardle wrote that OS X 10.10.3 has failed to completely fix RootPipe, a flaw that could allow Mac software to gain root access without authenticating. Wardle said that he is deliberately withholding details from the public for safety's sake, but has already notified Apple.
Comments
That's like saying the missing plank in your neighbors fence makes him unsafe, when you don't have any fence, nor door or window locks in your house.
A big thank you goes out to Wardle!
Great analogy!
First off, this isn't Apple's problem. It's a problem with code provided by AFNetworking (as pointed out by leavingthebigG).
Second, this company (SourceDNA) claims they have the ability to scan EVERY single App in the App Store to search for such flaws.
I'm REALLY curious how they can make such a claim.
You don't think that any Android apps use that same open source networking library with the vulnerability?
You don't think that any Android apps use that same open source networking library with the vulnerability?
Hey Sheldon Cooper, I mean thompr, I believe he was being sarcastic. Yes, he should have used "/s", but he didn't.
You don't think that any Android apps use that same open source networking library with the vulnerability?
Well, since it is an Objective-C library, probably not.
First off, this isn't Apple's problem. It's a problem with code provided by AFNetworking (as pointed out by leavingthebigG).
Second, this company (SourceDNA) claims they have the ability to scan EVERY single App in the App Store to search for such flaws.
I'm REALLY curious how they can make such a claim.
You can go read about it on their blog. They basically download them, and run them through an analyzer that has some fuzzy checks based on binary analysis.
You can go read about it on their blog. They basically download them, and run them through an analyzer that has some fuzzy checks based on binary analysis.
I did read their blog. I don't have a problem with their methodology of scanning an App - this is how virus scanners work.
What I find unbelievable is that they claim to have downloaded virtually all the Apps in the App Store. I'm curious how they would even do that, and also curious how much money that would cost them. Also curious how they could download them all fast enough to even keep up with updates. How much bandwidth would that even require?
Suggestion to iOS developers, do the extra work to get things done instead of using third party tools. When I was developing an app that used HTTPS, I looked at AFNetworking then decided not to tie the success or failure of my app to a third party.
Yeah, but how do you know that you won't make a similar mistake? One that won't be found until it's too late. The most secure way is to get your code tested and audited by a third party, so it doesn't matter, in terms of security, what you do.
You don't think that any Android apps use that same open source networking library with the vulnerability?
Well, since it is an Objective-C library, probably not.
I did read their blog. I don't have a problem with their methodology of scanning an App - this is how virus scanners work.
What I find unbelievable is that they claim to have downloaded virtually all the Apps in the App Store. I'm curious how they would even do that, and also curious how much money that would cost them. Also curious how they could download them all fast enough to even keep up with updates. How much bandwidth would that even require?
They said they downloaded all the free ones and the top 5000 paid ones IIRC. And they only did the ones that were updated after the buggy library came out and before it was patched. 1 million of 1.4 million apps is what I remember reading
Not a surprise to see CBS Interactive still on the offenders list (home to ZDNet, etc.). Also ESPN.
But most of the "small shop" developers seem to be fine (at least on my devices).
I did read their blog. I don't have a problem with their methodology of scanning an App - this is how virus scanners work.
What I find unbelievable is that they claim to have downloaded virtually all the Apps in the App Store. I'm curious how they would even do that, and also curious how much money that would cost them. Also curious how they could download them all fast enough to even keep up with updates. How much bandwidth would that even require?
* The article mentions that they only scanned the top 5000 paid apps. Considering that most apps cost no more than $1 or $2, that doesn't seem an extraordinarily expensive job.
* The average app in late 2012 weighed in around 25MB (http://www.slashgear.com/ios-app-size-averages-at-23-mb-16-percent-increase-since-march-17252428/), and that figure is skewed upward by games. So 1 million apps would take around 25TB (maybe a bit more if you assume that sizes have inflated a little since then). For a large analytics firm with multiple high speed connections, it probably wouldn't take more than a week or two to download the entire archive. They're not working out of somebody's basement.
* The article mentions that they only scanned the top 5000 paid apps. Considering that most apps cost no more than $1 or $2, that doesn't seem an extraordinarily expensive job.
* The average app in late 2012 weighed in around 25MB (http://www.slashgear.com/ios-app-size-averages-at-23-mb-16-percent-increase-since-march-17252428/), and that figure is skewed upward by games. So 1 million apps would take around 25TB (maybe a bit more if you assume that sizes have inflated a little since then). For a large analytics firm with multiple high speed connections, it probably wouldn't take more than a week or two to download the entire archive. They're not working out of somebody's basement.
Of course they're not "working out of a basement". There are so many other issues I have with this that make me skeptical.
- Would Apple even allow someone to download that many Apps? At what point do they realize this isn't normal behavior and investigate? Apple must monitor traffic and a large amount going to a certain IP should raise the alarm.
- How are they downloading them? Surely they don't have a bunch of people using iTunes to download them. Which makes me think they wrote their own automated software that "tricks" the App Store into thinking the downloads are coming from a computer(s) with iTunes or an iOS device(s). Which should set some red flags.
- Where did they get their "catalog" or master list of all Apps? How do you even find that many Apps to download, since most of them are "hidden" (don't show up unless you specifically search for them or are provided a link from a developer website)?
Of course they're not "working out of a basement". There are so many other issues I have with this that make me skeptical.
- Would Apple even allow someone to download that many Apps? At what point do they realize this isn't normal behavior and investigate? Apple must monitor traffic and a large amount going to a certain IP should raise the alarm.
- How are they downloading them? Surely they don't have a bunch of people using iTunes to download them. Which makes me think they wrote their own automated software that "tricks" the App Store into thinking the downloads are coming from a computer(s) with iTunes or an iOS device(s). Which should set some red flags.
- Where did they get their "catalog" or master list of all Apps? How do you even find that many Apps to download, since most of them are "hidden" (don't show up unless you specifically search for them or are provided a link from a developer website)?
I suspect that Apple has ways for companies like this to have access to the catalog. Just a guess. But they are operating in the open so I doubt they are surreptitiously doing this behind Apple's back.
Oh, and Google has a couple of wayward apps, as well. How 'bout it, Mr. Gator?