HTTPS vulnerability discovered in 1500 iOS apps

HTTPS vulnerability discovered in 1500 iOS apps
According to a recent report, 1,500 iOS apps are currently affected by an HTTPS vulnerability bug that enables attackers to snoop on sensitive private information. The bug was introduced with the 2.5.1 version of AFNetwork, a popular networking library for iOS and Mac OS X apps. The vulnerability was discovered back in February, and patched with version 2.5.2 in late March, but some apps are still using the old version of the library, hence opening the door to a potential attacker. 

On April 1st, when researchers from SourceDNA initially scanned 1 million of the 1.4 million titles in the App Store for this specific bug, they found that 1,000 apps were vulnerable at the time, including some from developers such as Yahoo, Microsoft, Flixster, Citrix, and Uber. That number went up to about 1,500 apps on April 18th when the App Store was re-scanned, despite the fact that Yahoo, Microosft, and Uber cleaned up their apps in the meantime. 

If you're using one of the vulnerable apps, then an attacker would be able to gain access to all of the SSL traffic, including sensitive information such as your passwords or your bank account numbers. To find out if your apps are vulnerable, click the source link below. If it turns out that you do have vulnerable apps, it's probably best to uninstall or refrain from using them until the developers come up with a patch. 

source: SourceDNA via Arstehnica

FEATURED VIDEO

17 Comments

1. waddup121 unregistered

Oooh...that ain't good Apple. That needs to be fixed ASAP.

2. Scott93274

Posts: 6040; Member since: Aug 06, 2013

Well, it looks like Apple already did their part. Now it's up to the individual app developers to fix their end. Sad thing is, the security integrity of the whole mobile platform suffers as a result of the lack of action from the developers of the 1,500 apps.

3. meanestgenius

Posts: 22201; Member since: May 28, 2014

Agreed. This is the fault of lazy developers, not Apple. Apple should remove the apps that's vulnerable to the HTTPS bug immediately, until those developers rectify the situation. I'm really surprised that Citrix is on the list. They should have been on top of this.

7. Scott93274

Posts: 6040; Member since: Aug 06, 2013

Agreed. I am very disappointed in Citrix for dragging their feet on this matter. I am familiar with some of their desktop applications, not so much for mobile though. I'm curious what functionality their apps offer.

9. meanestgenius

Posts: 22201; Member since: May 28, 2014

They are supposed to offer apps based on security. With a reputation like theirs, they really should have taken care of this on all levels.

13. Mxyzptlk unregistered

this is not on Apple. This is developer laziness. Apple already did the patching.

19. Scott93274

Posts: 6040; Member since: Aug 06, 2013

I agree with you 100%, unfortunately each one of those 1,500 apps is a security breach for Apple, I'm sure some are just crap apps that very few people actually have, but I'm sure that there are a few that might potentially impact millions of users. It's also concerning that the number of impacted apps has actually increased over time instead of decreasing. If Apple performs another scan will the number climb any higher?

5. bendgate unregistered

Where are Mxyzptlk and American parrot?

8. meanestgenius

Posts: 22201; Member since: May 28, 2014

Doubt they'll show up on this one.

10. 99nights

Posts: 1152; Member since: Mar 10, 2015

Don't worry they will come and mx will still try to tell you that apple is bug free, due to the developers or not.

12. tedkord

Posts: 17408; Member since: Jun 17, 2009

Mxy is busy visiting all the Android and Samsung articles trying to convince people that Lollipop is awful.

15. Mxyzptlk unregistered

It's not that it's awful. It's just that it's sloppy work from Google. Kitkat is much better.

17. Mxyzptlk unregistered

I don't live here like you do.

6. bendgate unregistered

No OS is completely secured.

14. lektriczzz

Posts: 15; Member since: Aug 08, 2013

Fappening pt 3?

18. Salazzi

Posts: 537; Member since: Feb 17, 2014

I wish

16. shuaibhere

Posts: 1986; Member since: Jul 07, 2012

And now appstore officially officials have more malware than play store...

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.