R Ju2ljgAt least 76 popular iOS apps have been found to be vulnerable to data inception, according to a report from a security expert.

The discovery was made by app binary code scanning service verify.ly and published in a Medium post by Sudo Security Group CEO Will Strafach, who revealed that the apps failed to make use of the Transport Layer Security protocol.

The TLS protocol secures communication between client and server. Without the protection, the apps are susceptible to data interception by an attacker with access to custom hardware such as modified smartphone, which can be used to initiate TLS certificate injection attacks. The interception is possible regardless of whether the developers chose to use Apple networking security feature, App Transport Security.

The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.

There is no possible fix to be made on Apple's side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.

Apps in the vulnerable list included a number of popular downloads like third-party Snapchat apps, the official app for Vice News, and banking apps for banks based in Puerto Rico and Libya.

Strafach sorted the 76 apps into low, medium, and high risk categories, and says he is reaching out to developers to fix the problems before disclosing the most high-risk apps in the list. According to Strafach, more than 18,000,000 downloads of the vulnerable app versions have been downloaded from the App Store.

Until the issues are dealt with, Strafach advises users of the apps to avoid accessing them over Wi-Fi, as it's harder to exploit the vulnerabilities over a cellular network.

Tags: App Store, Security

Top Rated Comments

Kabeyun Avatar
Kabeyun
102 months ago
For the tl;dr crowd, the medium and high security risk app list won't be published for 60-90 days to give the devs time to mitigate the exploit. Bookmark the page and check back then!
This shows us, again, that Apple's scrutiny is far from perfect. In the mean time use VPN.
Not really, or at least this is a misleading statement. Obscure networking attacks are hardly particular to Apple devices. That's what bug bounties and security updates are for in all OS's. But if you prefer the wild west of the uncurated Google play store, go right ahead. But I agree with using a VPN service. Anyone who's fool enough to conduct financial transactions on an open WiFi network...
Score: 7 Votes (Like | Disagree)
Kabeyun Avatar
Kabeyun
102 months ago
There is nothing wrong or misleading about the fact that Apple missed it, and since security is important to all of us... that is why Apple should have caught the problem long before security researchers do (did in this specific case).
Respectfully disagree. The headline, "15,000 Ford cars involved in accidents this year" implies that there's something about Fords that's a particular problem. It may be true that app clearinghouses like Apple's App Store should scrutinize every line of submitted code, but it's misleading to suggest that this is a particularly Apple problem.
Score: 2 Votes (Like | Disagree)
nwcs Avatar
nwcs
102 months ago
Very much expected. Security is a moving target for both developers and consumers. What may be totally secure today could be insecure tomorrow. As for TLS, only TLS 1.2 is currently secure so it's using the right version at the right time. You also have to stay on top of third party libraries and think like an attacker. Troy Hunt shows how easy it is to break the security of a lot of apps. The problem is people don't think like an attacker and so miss critical areas.
Score: 1 Votes (Like | Disagree)
I7guy Avatar
I7guy
102 months ago
Maybe Apple's screeners shoulda woulda coulda, but it's completely fair for Apple to advertise iOS as safest and macOS as most secure vs major competitors. No guarantees ever, they don't claim it, and people don't expect a guarantee.

This problem exists in an order of magnitude greater numbers ('https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html') in Google Play. Your position seems to be that Apple has no right to market its more secure App Store as more secure unless is can guarantee zero exploits. Sure, bad stuff can get through, but if your main concern is the safety of offerings, you'll pick the App Store over Google Play every time. Inversely, Google isn't absolved of dealing with appsec just because they don't advertise it as an asset.
I'm not sure why apple can't advertise ios as safe, given the millions of apps in the app store, some small percentage have vulnerability issue. Absolute security is not a destination it's a process. In the same way a 5 start auto rating by NHTSA does not mean no deaths in accidents for that vehicle.

On another note, I'm going to start using LTE more instead of wifi.
Score: 1 Votes (Like | Disagree)
Kabeyun Avatar
Kabeyun
102 months ago
I'm not sure why apple can't advertise ios as safe, given the millions of apps in the app store, some small percentage have vulnerability issue. Absolute security is not a destination it's a process. In the same way a 5 start auto rating by NHTSA does not mean no deaths in accidents for that vehicle.

On another note, I'm going to start using LTE more instead of wifi.
I knew there was a better car analogy somewhere!

Cellular is better, at least compared to open WiFi, but get a respected VPN service if you take security seriously.
Score: 1 Votes (Like | Disagree)
Bokito Avatar
Bokito
102 months ago
This is pretty insane. Banking apps without (proper) TLS connection? You've gotta be ******** me.

In the western world banks (or other companies using sensitive data) would immediately be penalized for not securing their users data (and would likely lose a whole lot of customers).
Score: 1 Votes (Like | Disagree)
Read All Comments

Popular Stories

airtag purple

AirTag 2 Rumored to Launch Next Year With These New Features

Sunday November 17, 2024 5:18 am PST by
Apple released the AirTag in April 2021, so it is now three over and a half years old. While the AirTag has not received any hardware updates since then, a new version of the item tracking accessory is rumored to be in development. Below, we recap rumors about a second-generation AirTag. Timing Apple is aiming to release a new AirTag in mid-2025, according to Bloomberg's Mark Gurman....
Read Full Article89 comments
Magic Mouse Next to Keyboard

No, Apple CEO Tim Cook Didn't Say He Prefers Logitech's MX Master 3 Over the Magic Mouse

Sunday November 17, 2024 3:03 pm PST by
While the Logitech MX Master 3 is a terrific mouse for the Mac, reports claiming that Apple CEO Tim Cook prefers that mouse over the Magic Mouse are false. The Wall Street Journal last month published an interview with Cook, in which he said he uses every Apple product every day. Soon after, The Verge's Wes Davis attempted to replicate using every Apple product in a single day. During that...
Read Full Article316 comments
New Things Your iPhone Can Do in iOS 18

18 New Things Your iPhone Can Do in iOS 18.2

Wednesday November 13, 2024 2:09 am PST by
Apple is set to release iOS 18.2 next month, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. There are a handful of new non-AI related feature controls incoming as well....
Read Full Article26 comments
iPhone 17 Slim Feature Single Camera 1 Redux

'iPhone 17 Air' Rumored to Surpass iPhone 6 as Thinnest iPhone Ever

Monday November 18, 2024 1:07 pm PST by
In a research note with Hong Kong-based investment bank Haitong today, obtained by MacRumors, Apple analyst Jeff Pu said he agrees with a recent rumor claiming that the so-called "iPhone 17 Air" will be around 6mm thick. "We agreed with the recent chatter of an 6mm thickness ultra-slim design of the iPhone 17 Slim model," he wrote. If that measurement proves to be accurate, there would be ...
Read Full Article144 comments
iPhone 7 Lightning to Headphone Jack Adapter

Apple Seemingly Discontinuing Lightning to Headphone Jack Adapter Introduced Alongside iPhone 7

Sunday November 17, 2024 12:33 pm PST by
It appears that Apple is discontinuing the Lightning to 3.5mm headphone jack adapter that it released alongside the iPhone 7 and iPhone 7 Plus in 2016. The adapter was recently listed as "sold out" on Apple's online store in the U.S. and most other countries, according to MacRumors contributor Aaron Perris. The adapter remains available from Apple in only a handful of countries, such as...
Read Full Article167 comments
Apple TV 4K hero 221018 feature

It's 2009 Again: Apple is Apparently Reconsidering Making a TV

Sunday November 17, 2024 5:27 am PST by
Between around 2009 and 2011, it was repeatedly rumored that Apple would be releasing a TV, but that obviously never happened. Now, a decade-and-a-half later, Bloomberg's Mark Gurman says the idea is back on the table. In his Power On newsletter today, Gurman briefly mentioned that Apple has been "evaluating" the "idea of making an Apple-branded TV set." He did not provide any further...
Read Full Article379 comments