Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Dozens of Popular IOS Apps Vulnerable to Intercept of TLS-Protected Data

Accepted submission by Fnord666 at 2017-02-07 05:28:48
Security

Fnord666 [soylentnews.org] writes:

While developing a tool for evaluating mobile application security, researchers at Sudo Security Group Inc. found out something unexpected. Seventy-six popular applications in Apple's iOS App Store, they discovered, had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attack. The applications could be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the Internet.

The discovery was initially the result of bulk analysis done by Sudo's verify.ly, a service that performs bulk static analysis of application binaries from Apple's App Store. Will Strafach, president of Sudo, verified the applications discovered by the system were vulnerable in the lab, using a network proxy configured with its own Secure Socket Layer certificate.

In the post about his findings being published today [medium.com], Strafach wrote:

During the testing process, I was able to confirm 76 popular iOS applications allow a silent man-in-the-middle attack to be performed on connections which should be protected by TLS (HTTPS), allowing interception and/or manipulation of data in motion. According to Apptopia estimates, there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to be affected by this vulnerability.

Ars independently verified that several applications discovered by Strafach were vulnerable. These sorts of vulnerabilities are nothing new; thousands of applications have had incorporated bugs that caused TLS to become vulnerable to attack, both on iOS and Android. But the fact that they persist even as Apple tries to push developers toward greater security is disconcerting, to say the least—especially in applications that could expose financial or health data along with user credentials

[...] The names of these apps are not currently being published. "Currently, this list is only available to limited parties due to sensitivity," Strafach wrote. "I have been in touch with MITRE and will follow up later with a listing of the CVE IDs for affected iOS applications of which data interception would be considered medium risk or high risk."

Source:

https://arstechnica.com/security/2017/02/dozens-of-popular-ios-apps-vulnerable-to-intercept-of-tls-protected-data/ [arstechnica.com]

Original Submission