Dozens of popular iOS applications are affected by vulnerabilities that allow man-in-the-middle (MitM) attackers to silently intercept data from connections that should be protected by TLS, a study has found.
The developers of verify.ly, a service designed for finding security issues in iOS apps, analyzed applications in the Apple App Store and identified hundreds that are likely vulnerable to data interception. Experts have tested each of them on an iPhone running iOS 10 and confirmed that 76 had been vulnerable.
According to Will Strafach, iOS security expert and developer of verify.ly, the affected applications have been downloaded more than 18 million times. The vulnerability is considered high risk in the case of 19 of the 76 applications, as they expose financial or medical service credentials or session authentication tokens.
The medium risk category includes 24 iOS apps, which also expose login credentials and session authentication tokens. The names of the high and medium risk apps have not been disclosed in order to give vendors time to patch the flaws.
Researchers identified 33 low risk applications, which allow attackers to intercept only partially sensitive information, including analytics data, email addresses, and login credentials that would only be entered on a trusted network. The list includes banking, VPN, entertainment, news, stock trading, chat, and Snapchat-related apps.
“This sort of [MitM] attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range,” Strafach explained. “Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.”
Applications are vulnerable to these types of attacks due to the way their developers implement network-related code, which means only the developers can properly address the issue. However, end-users can protect themselves against potential attacks by utilizing the affected applications only over a cellular data connection, which is much more difficult to intercept compared to Wi-Fi.
An automated analysis of Android apps conducted back in 2014 by CERT/CC showed that thousands of applications were vulnerable to MitM attacks, and many of them are still vulnerable today.