A severe vulnerability within the iOS code library could allow an attacker to disable HTTPS encryption on over 25,000 iOS apps available throughout Apple’s App Store via a man-in-the-middle (MITM) attack.
AFNetworking, is a popular open-source code library that allows developers to integrate networking capabilities into their iOS and OS X applications. However, when integrating an HTTPS certificate, the software fails to check the domain for which the SSL certificate has been issued.
Apple iOS applications using the older AFNetworking versions prior to the latest 2.5.3, may be vulnerable to the severe security flaw that could allow hackers to steal or tamper with sensitive data, even if an app is protected by the SSL protocol.
This is where the severity comes in, an attacker has the ability to use any valid SSL certificate from any domain name in order to exploit the vulnerability, the only stipulation, the certificate must be issued by a trusted certificate authority (CA) which can be purchased online for $50.
“This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet,” SourceDNA, a startup code analysis company said speaking on the AFNetworking flaw.
The flaw works as is, I can tell your iOS app that I am facebook.com, just by presenting a valid SSL certificate for freedomhacker.net. The domains have no relation, yet, as long as a valid certificate is provided, the application validates the connection.
The vulnerability, which is believed to affect more than 25,000 iOS applications was disclosed by Ivan Leichtling, an advanced persistent incident discovery and response employee for Yelp.
Developers had believed that with the release of AFNetworking 2.5.2, the lack of SSL certificate validation would have been eliminated, hindering hackers from abusing self-signed certificates to intercept encrypted traffic from vulnerable iOS apps.
However, even after the AFNetworking vulnerability had been patched, SourceDNA scanned for vulnerable code present in the iOS apps that were once vulnerable, and found them still vulnerable to the flaw.
Meaning anyone with a man-in-the-middle privilege on the network, such as a hacker, rogue employee, or state-sponsored hacker can present their own CA-signed certificate and begin monitoring or modifying encrypted communications.
A number of massive apps were found vulnerable to the iOS flaw by doing a quick check for iOS apps that have domain name validation turned off. Apps that could be vulnerable included Bank of America, Wells Fargo, JPMorgan Chase Bank and presumably more.
Top developers for iOS apps including Yahoo and Microsoft remained vulnerable to the SSL flaw during and after testing.
To hinder hackers from exploiting iOS apps specifically vulnerable to the flaw, SourceDNA has not disclosed a list of vulnerable iOS apps. However, the startup did urge developers to upgrade to the latest AFNetworking build (2.5.3) in their iOS apps in order to enable domain name validation by default, successfully patching the vulnerability.
How do I know if an app I’m using is vulnerable? SourceDNA has released a free tool to help you discover if any of your applications are vulnerable to the encryption-crippling flaw.
Meanwhile, all iOS users should be checking the status of the apps they use, especially apps withholding critical information such as financial information, banking details or private conversations.
Developers are advised to patch the AFNetworking vulnerability immediately, and users should avoid using vulnerable apps in total for the time being.