More Than 70 iOS Apps Found Vulnerable to Data Interception

Over 70 apps from Apple’s App Store have been discovered to be vulnerable to man-in-the-middle attacks, exposing a user’s personal data over Wi-Fi

With the overall quantity of information available in the world doubling every 18 months, it’s becoming more difficult for internet security professionals to differentiate between private, sensitive, and public data. In 2017, safety is viewed as a top priority at almost every tech convention, and security-related careers are receiving increased attention.

Since web traffic is rapidly moving from computer screens to smartphones, it’s only natural to expect smartphone-related data to be tightly secured. Unfortunately, this is not always the case.

Sudo Security group, through their verify.ly application, have uncovered a large set of applications which are questionable from a security standpoint, to say the least.

Will Strafach, the internet security specialist running this company, initially discovered the vulnerabilities while performing a bulk analysis of applications from Apple’s App Store. During this testing phase, Strafach wrote that he found 76 popular iOS applications which allowed silent man-in-the-middle attacks, over connections that should be protected by TLS.

These vulnerabilities allow attackers to intercept and manipulate individual data that the user is sending over an unsecured network.

The apps showcasing these internet security issues were also very popular. At first glance, these apps were downloaded more than 18 million times – and are all affected by these internet security vulnerabilities. While not all of the apps are extremely vulnerable, they can all be easily divided into three clear categories:

  • The first 33 applications were low-risk. These applications allowed attackers to only intercept somewhat sensitive user information, such as usernames or emails in the worst cases. They did not allow the hackers to find sensitive login information, session information, or tokens. The worst you could expect from such an attack is more spam in your e-mail folder.
  • For 24 other applications, Strafach’s analysis determined that they are medium-risk. These applications have been confirmed to give out sensitive information such as session authentication tokens and/or service login credentials, which could ultimately lead to account hacking.
  • 19 other applications were deemed as high risk, due to the large quantity of private information easily available for the attackers. They have been confirmed to leak extremely sensitive information such as financial credentials or medical information, two of the most critical categories of information you have on your phone.

Sadly, for iOS users, the built-in security feature of the App Store does not block these vulnerabilities at all. The users are thus left to deal with their internet security alone.

Removing these vulnerabilities will also help the user better understand man-in-the-middle attacks. Simply put, this kind of attack would allow hackers to take valuable information that your phone is sending over the Wi-Fi network it is connected to. In most cases, the user is the one which commands the phone to connect to a certain unsecured Wi-Fi network and do certain tasks, but in some cases, the attacker manages to connect the phone independently to the Wi-Fi network.

It’s also worth stating which apps have this issue. In the low-risk internet security category, we find apps such as VivaVideo, Snap Upload for Snapchat, or Volify. Currently, the applications which are considered medium and high risk are under investigation and will be published at a later date.

Apple cannot completely mitigate this vulnerability

Of course, the most important thing for any user is finding a solution to these issues. Sadly, application developers are the only ones who can completely mitigate this vulnerability, since Apple cannot act on their behalf.

For end users, the solution is relatively straightforward since the vulnerability can only be exploited if you’re sending any data over unsecured Wi-Fi networks. Thus, simply use encrypted Wi-Fi or deactivate your Wi-Fi connection before doing any sensitive tasks on your phone, to be on the safe side.

End users, as well as companies, can use the software provided by Will Strafach to find such internet security issues.

To mitigate the risks of man-in-the-middle attacks, take special care what kind of information you allow the apps on your phone to send via Wi-Fi, as well as what Wi-Fi networks you’re using.

It just takes a few seconds for an attacker to intercept valuable information, and the effects can be disastrous – from your inability to use your social media accounts to financial losses. Mobile internet security is a very serious topic; the end user is the most vulnerable part of it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.