Dozens of applications for Apple’s mobile devices are vulnerable to WiFi snoopers, a security researcher stated this week.
Will Strafach, CEO of the Sudo Security Group, identified 76 popular iOS apps available at Apple’s App Store that were vulnerable to wireless eavesdroppers, even though the connections were supposed to be protected by encryption.
There have been 18 million downloads of the vulnerable apps, he said.
Strafach categorized 33 of the vulnerable apps as “low risk.” Potentially intercepted information included partially sensitive analytics data about a device and partially sensitive personal data, such as an email address or login credentials.
VivaVideo, Snap Upload for Snapchat, Volify, Loops Live, Private Browser, Aman Bank, FirstBank, VPN One Click Professional, and AutoLotto: Powerball, MegaMillions Lottery Tickets are some of the apps he assigned to the low-risk category.
Strafach arranged another 24 iOS applications as “medium hazard.” Potentially caught data included administration login certifications and session verification tokens for clients signed onto the system.
Strafach named the rest of the applications “high hazard” in light of the fact that conceivably captured data incorporated the grabbing of budgetary or restorative administrations login qualifications.
He didn’t distinguish the medium and high hazard applications by name, keeping in mind the end goal to give their creators time to fix the helplessness in their applications.
How concerned ought to clients be about their security when utilizing these applications?
“I attempted to forget anything with respect to concern level, as I would prefer not to oddity individuals out excessively,” Strafach told TechNewsWorld.
“While this is to be sure a major worry as I would like to think, it can be generally alleviated by killing WiFi and utilizing a cell association with perform delicate activities -, for example, checking bank equalizations – while out in the open,” he said.
Man in the Middle Attack
If anything, Strafach is understating the problem, maintained Dave Jevans, vice president for mobile security products at Proofpoint.
“We’ve analyzed millions of apps and found this is a widespread problem,” he told TechNewsWorld, “and it’s not just iOS. It’s Android, too.”
Still, it likely is not yet a cause for great alarm, according to Seth Hardy, director of security research at Appthority.
“It’s something to be concerned about, but we’ve never seen it actively exploited in the wild,” he told TechNewsWorld.
What the vulnerability does is facilitate a classic man-in-the-middle attack. Data from the target phone is intercepted before it reaches its destination. It is then decrypted, stored, re-encrypted and then sent to its destination — all without the user’s knowledge.
To do that, an app needs to be fooled into thinking it’s communicating with a destination and not an evesdropper.
“In order for a man-in-the-middle attack to be successful, the attacker needs a digital certificate that’s either trusted by the application, or the application is not properly vetting the trust relationship,” explained Slawek Ligier, vice president of engineering for security at Barracuda Networks.
“In this case, it appears that developers are developing applications in a way that allows any certificate to be accepted,” he told TechNewsWorld. “If the certificate is issued and not expired, they’re accepting it. They’re not checking if it’s been revoked or even if it’s properly signed.”
Should Apple act to weed these vulnerable apps from behind its walled garden?
“Apple should most certainly remove any of the offending apps from the App Store,” said Sam McLane, head of security engineering at Arctic Wolf.
“This is something that is relatively easy to test for and should be enforced by Apple, since the trust model starts with the Apple ecosystem being safe for people to use,” he told TechNewsWorld.
Strafach disagreed. “The setup now is exactly as it should be with regards to developer control of networking code,” he said. “Developers can do something about this problem. For affected apps, the fix is only a few lines — less than an hour tops, if that, to fix the matter in affected code.”