Some 1,500 iOS apps exposed to serious HTTPS vulnerability, analytics firm says

Posted:
in iPhone edited April 2015
Approximately 1,500 iOS apps are exposed to a vulnerability that could let a hacker bypass HTTPS security and steal passwords and other sensitive data, according to research released on Monday.




Analytics firm SourceDNA said the problem traces back to AFNetworking, an open-source code library many apps use for networking functions. Version 2.5.1, released in January, accidentally introduced a bug which could let someone on the same Wi-Fi network -- or otherwise able to monitor a connection -- present a fake SSL certificate and successfully decrypt HTTPS data.

The glitch causes AFNetworking to simply skip a validation check. The issue was first noted by ArsTechnica.

The problem was solved with a v2.5.2 update three weeks ago, but many iOS apps are still using the old code, including some prominent titles like Alibaba, Uber, Movies by Flixster, and Citrix OpenVoice Audio Conferencing.

The number of exposed apps could exceed 1,500. SourceDNA said it analyzed 1 million of the 1.4 million titles in the App Store, including all free titles, but only the top 5,000 paid ones. Affected apps were not only using an outdated version of AFNetworking but failing to use certificate pinning, which allows only a specific certificate for HTTPS. Pinning is off by default in AFNetworking.

Before coming to a final tally SourceDNA contacted developers privately, allowing some of them to fix the issue. Major companies like Uber, Yahoo, and Microsoft are said to have made app changes, although some of their apps are still exposed. A web-based search tool can be used to learn if an app is vulnerable or has already been patched.

Late last week, security researcher Patrick Wardle wrote that OS X 10.10.3 has failed to completely fix RootPipe, a flaw that could allow Mac software to gain root access without authenticating. Wardle said that he is deliberately withholding details from the public for safety's sake, but has already notified Apple.
«1

Comments

  • Reply 1 of 29
    dipdog3dipdog3 Posts: 89member
    Glad it is only iOS apps, all of us Android users are safe!
  • Reply 2 of 29
    dipdog3 wrote: »
    Glad it is only iOS apps, all of us Android users are safe!

    That's like saying the missing plank in your neighbors fence makes him unsafe, when you don't have any fence, nor door or window locks in your house.
  • Reply 3 of 29
    Suggestion to iOS developers, do the extra work to get things done instead of using third party tools. When I was developing an app that used HTTPS, I looked at AFNetworking then decided not to tie the success or failure of my app to a third party.
  • Reply 4 of 29
    freerangefreerange Posts: 1,597member
    "Wardle said that he is deliberately withholding details from the public for safety's sake, but has already notified Apple."

    A big thank you goes out to Wardle!
  • Reply 5 of 29
    MacProMacPro Posts: 19,822member
    That's like saying the missing plank in your neighbors fence makes him unsafe, when you don't have any fence, nor door or window locks in your house.

    Great analogy! :D
  • Reply 6 of 29

    First off, this isn't Apple's problem. It's a problem with code provided by AFNetworking (as pointed out by leavingthebigG).

     

    Second, this company (SourceDNA) claims they have the ability to scan EVERY single App in the App Store to search for such flaws.

     

    I'm REALLY curious how they can make such a claim.

  • Reply 7 of 29
    thomprthompr Posts: 1,521member
    dipdog3 wrote: »
    Glad it is only iOS apps, all of us Android users are safe!

    You don't think that any Android apps use that same open source networking library with the vulnerability?
  • Reply 8 of 29
    larz2112larz2112 Posts: 291member
    Quote:

    Originally Posted by thompr View Post





    You don't think that any Android apps use that same open source networking library with the vulnerability?

     

    Hey Sheldon Cooper, I mean thompr, I believe he was being sarcastic. Yes, he should have used "/s", but he didn't.

  • Reply 9 of 29
    chadbagchadbag Posts: 2,024member
    Quote:

    Originally Posted by thompr View Post





    You don't think that any Android apps use that same open source networking library with the vulnerability?



    Well, since it is an Objective-C library, probably not.

  • Reply 10 of 29
    chadbagchadbag Posts: 2,024member
    Quote:

    Originally Posted by EricTheHalfBee View Post

     

    First off, this isn't Apple's problem. It's a problem with code provided by AFNetworking (as pointed out by leavingthebigG).

     

    Second, this company (SourceDNA) claims they have the ability to scan EVERY single App in the App Store to search for such flaws.

     

    I'm REALLY curious how they can make such a claim.




    You can go read about it on their blog.  They basically download them, and run them through an analyzer that has some fuzzy checks based on binary analysis.

  • Reply 11 of 29
    Quote:

    Originally Posted by chadbag View Post

     



    You can go read about it on their blog.  They basically download them, and run them through an analyzer that has some fuzzy checks based on binary analysis.


     

    I did read their blog. I don't have a problem with their methodology of scanning an App - this is how virus scanners work.

     

    What I find unbelievable is that they claim to have downloaded virtually all the Apps in the App Store. I'm curious how they would even do that, and also curious how much money that would cost them. Also curious how they could download them all fast enough to even keep up with updates. How much bandwidth would that even require?

  • Reply 12 of 29
    Quote:

    Originally Posted by leavingthebigG View Post



    Suggestion to iOS developers, do the extra work to get things done instead of using third party tools. When I was developing an app that used HTTPS, I looked at AFNetworking then decided not to tie the success or failure of my app to a third party.

     

    Yeah, but how do you know that you won't make a similar mistake? One that won't be found until it's too late. The most secure way is to get your code tested and audited by a third party, so it doesn't matter, in terms of security, what you do.

  • Reply 13 of 29
    chadbagchadbag Posts: 2,024member
    Quote:
    Originally Posted by thompr View Post





    You don't think that any Android apps use that same open source networking library with the vulnerability?



    Well, since it is an Objective-C library, probably not.

    Quote:

    Originally Posted by EricTheHalfBee View Post

     

     

    I did read their blog. I don't have a problem with their methodology of scanning an App - this is how virus scanners work.

     

    What I find unbelievable is that they claim to have downloaded virtually all the Apps in the App Store. I'm curious how they would even do that, and also curious how much money that would cost them. Also curious how they could download them all fast enough to even keep up with updates. How much bandwidth would that even require?




    They said they downloaded all the free ones and the top 5000 paid ones IIRC.  And they only did the ones that were updated after the buggy library came out and before it was patched.  1 million of 1.4 million apps is what I remember reading

  • Reply 14 of 29
    pscooter63pscooter63 Posts: 1,081member

    Not a surprise to see CBS Interactive still on the offenders list (home to ZDNet, etc.).  Also ESPN.

    But most of the "small shop" developers seem to be fine (at least on my devices).

  • Reply 15 of 29
    d4njvrzfd4njvrzf Posts: 797member
    Quote:
    Originally Posted by EricTheHalfBee View Post

     

     

    I did read their blog. I don't have a problem with their methodology of scanning an App - this is how virus scanners work.

     

    What I find unbelievable is that they claim to have downloaded virtually all the Apps in the App Store. I'm curious how they would even do that, and also curious how much money that would cost them. Also curious how they could download them all fast enough to even keep up with updates. How much bandwidth would that even require?


    * The article mentions that they only scanned the top 5000 paid apps. Considering that most apps cost no more than $1 or $2, that doesn't seem an extraordinarily expensive job. 

     

    * The average app in late 2012 weighed in around 25MB (http://www.slashgear.com/ios-app-size-averages-at-23-mb-16-percent-increase-since-march-17252428/), and that figure is skewed upward by games. So 1 million apps would take around 25TB (maybe a bit more if you assume that sizes have inflated a little since then). For a large analytics firm with multiple high speed connections, it probably wouldn't take more than a week or two to download the entire archive. They're not working out of somebody's basement.

  • Reply 16 of 29
    Quote:

    Originally Posted by d4NjvRzf View Post

     

    * The article mentions that they only scanned the top 5000 paid apps. Considering that most apps cost no more than $1 or $2, that doesn't seem an extraordinarily expensive job. 

     

    * The average app in late 2012 weighed in around 25MB (http://www.slashgear.com/ios-app-size-averages-at-23-mb-16-percent-increase-since-march-17252428/), and that figure is skewed upward by games. So 1 million apps would take around 25TB (maybe a bit more if you assume that sizes have inflated a little since then). For a large analytics firm with multiple high speed connections, it probably wouldn't take more than a week or two to download the entire archive. They're not working out of somebody's basement.


     

    Of course they're not "working out of a basement". There are so many other issues I have with this that make me skeptical.

     

    - Would Apple even allow someone to download that many Apps? At what point do they realize this isn't normal behavior and investigate? Apple must monitor traffic and a large amount going to a certain IP should raise the alarm.

    - How are they downloading them? Surely they don't have a bunch of people using iTunes to download them. Which makes me think they wrote their own automated software that "tricks" the App Store into thinking the downloads are coming from a computer(s) with iTunes or an iOS device(s). Which should set some red flags.

    - Where did they get their "catalog" or master list of all Apps? How do you even find that many Apps to download, since most of them are "hidden" (don't show up unless you specifically search for them or are provided a link from a developer website)?

  • Reply 17 of 29
    chadbagchadbag Posts: 2,024member
    Quote:

    Originally Posted by EricTheHalfBee View Post

     

     

    Of course they're not "working out of a basement". There are so many other issues I have with this that make me skeptical.

     

    - Would Apple even allow someone to download that many Apps? At what point do they realize this isn't normal behavior and investigate? Apple must monitor traffic and a large amount going to a certain IP should raise the alarm.

    - How are they downloading them? Surely they don't have a bunch of people using iTunes to download them. Which makes me think they wrote their own automated software that "tricks" the App Store into thinking the downloads are coming from a computer(s) with iTunes or an iOS device(s). Which should set some red flags.

    - Where did they get their "catalog" or master list of all Apps? How do you even find that many Apps to download, since most of them are "hidden" (don't show up unless you specifically search for them or are provided a link from a developer website)?




    I suspect that Apple has ways for companies like this to have access to the catalog.   Just a guess.    But they are operating in the open so I doubt they are surreptitiously doing this behind Apple's back.

  • Reply 18 of 29
    In the spirit of balanced reporting I'm sure we'll see authors devote time to this vulnerability as is done whenever an Android vulnerability is discussed.
  • Reply 19 of 29
    asdasdasdasd Posts: 5,686member
    I wonder how they got to 1 million. This was introduced in AFNetworking 2.5.1 and fixed in 2.5.2.
  • Reply 20 of 29
    pscooter63pscooter63 Posts: 1,081member

    Oh, and Google has a couple of wayward apps, as well.  How 'bout it, Mr. Gator?

Sign In or Register to comment.