A bug in a popular iOS library means user data can be intercepted by attackers using any SSL certificate for any web server
As many as 25,000 iOS apps are vulnerable to man-in-the-middle attacks capable of stealing user data through the use of freely available SSL certificates.
Researchers at SourceDNA found the bug in version 2.5.2 of AFNetworking, a library used by many iOS and Mac OSX developers for networking functions, while checking to see if a flaw in version 2.5.1 that accepted self-signed certificates had been fixed.
Whilst checking the code, the team found that the original flaw had been patched but discovered an issue with domain name validation that meant data could be intercepted if an attacker used a valid SSL certificate.
“This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet,” said the researchers. “Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.”
Up to 100,000 apps are believed to use AFNetworking and SourceDNA has urged developers to ensure they are using the latest version of the library to protect user data. It has released a tool called Sourcelight which shows which applications are still vulnerable.
“We notified our customers and contacted the developer. He released the updated version 2.5.3 earlier this week. If you are using AFNetworking (any version), you must upgrade to 2.5.3. Also, you should enable public key or certificate-based pinning as an extra defense. Neither of these game-over SSL bugs affected apps using pinning.
“This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores. Developers need to track the code in their apps to be sure patches aren’t lost along the way.”
The maintainers of AFNetworking have disputed SourceDNA’s findings, claiming there is no way to tell whether an app is vulnerable or not without actually attempting a man in the middle attack. They add that AFNetworking “strongly recommends” certificate or public key pinning that would prevent such a vulnerability.
“Adding pinned SSL certificates to your app helps prevent man-in-the-middle attacks and other vulnerabilities,” they said. “Applications dealing with sensitive customer data or financial information are strongly encouraged to route all communication over an HTTPS connection with SSL pinning configured and enabled.”
Version 2.5.3 guards against such vulnerabilities by enabling domain name validation even when not using SSL pinning.
What do you know about the iPhone 6, iPhone 6 Plus and Apple Watch? Try our quiz!