Thanks to an unpatched HTTPS-related vulnerability in a popular third-party library, there are now around 1,500 iOS apps out there that are vulnerable to man-in-the-middle attacks, which could enable hackers to acquire personal information, such as bank details, with minimal effort. These apps have been collectively downloaded millions of times, thus exposing millions of iOS users to potential attacks.
Around 1,500 iOS applications are vulnerable to simple man-in-the-middle attacks thanks to an HTTPS-related vulnerability in a third-party library common to them all. The flaw could allow someone to snoop on a user’s personal information, including bank account details, with very little effort. According to a report published by SourceDNA, the 1,500 iOS apps in question all use one specific version of an open-source networking library: AFNetworking 2.5.1. The flawed version of the library was released in January this year, and was patched with version 2.5.2 three weeks ago. The flaw relates to the way the AFNetworking library, called upon by an app, performs SSL certificate validation. Essentially, SSL certificates are never validated in version 2.5.1 of the library due to an error, meaning that anyone who sends a fraudulent certificate to the app will have it automatically accepted. This means that, for example, someone could set up a free Wi-Fi network within a cafe, and then steal an unsuspecting user’s bank account information through fake SSL certificates and proxies when they use an affected banking application.