SSL Bug Exposes 25,000 iOS Apps to MITM Attack

Written by

Security researchers are warning of another major vulnerability in iOS library AFNetworking, exposing users of over 25,000 apps to man-in-the-middle (MITM) attacks.

The flaw was discovered after an earlier version, 2.5.1, was patched to address a bug which allowed it to accept self-signed certificates, according to SourceDNA.

The group explained:

“A few weeks ago, we found that version 2.5.2 did fix this issue, but there was another flaw nearby in the same code. Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using.

This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the internet. Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.”

The researchers were doubly shocked to see that the flaw in question had been reported and fixed the day after the previous SSL bug was addressed, but no-one noticed it had been left out of the 2.5.2 update.

The developer has now released 2.5.3 to address this issue, which all AFNetworking developers are urged to upgrade to.

Public-key or certificate-based pinning for apps is also advised as an “extra defense” as neither of the SSL bugs affected apps using pinning.  

“This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores,” said SourceDNA. “Developers need to track the code in their apps to be sure patches aren't lost along the way.”

Mobile security vendor Appthority claims in a new report that ‘stale apps’ represent a major risk to enterprise security because users often fail to update their apps to newer versions which address serious vulnerabilities.

What’s hot on Infosecurity Magazine?