iOS apps vulnerable to man-in-the-middle attacks
A flaw makes Apple’s ATS security feature bypassable by attackers.
No less than 76 of the most popular Apple’s iOS apps are susceptible to attacks oriented at intercepting and stealing valuable data while leaving no trails whatsoever. This breach in iOS security feature is a result of a misconfigured networking code, which makes the app accept any digital secure sockets layer/transport layer security certificate (SSL/TLS) in order to establish an encrypted connection.
All that the attackers have to do is to get withing the wi-fi range of their potential victim. At this point, the network misconfiguration allows them to trick the apps, so that they download their own certificates. After that happens, the attacker gains the man-in-the-middle position on the network, which allows him to intercept and steal all the incoming and outgoing data.
The scope of the problem is huge, as this flaw could potentially affect millions of users. According to Will Strafach, Infosec’s expert and CEO of iOS security platform operator Sudo Security Group, the applications containing the security flaw had been downloaded over 18 million times.
Furthermore, Stratfach estimated that 33 of the 76 that could fall victim to the man-in-the-middle attacks are low-risk, because the data susceptible to being stolen is not very sensitive, and couldn’t cause any serious problems for the user. The rest of the applications, however, could put sensitive and important data at serious risk. The low-risk list of apps includes apps like the Huawei HiLink, which could leak device data, as well as Uconnect Access, which could potentially leak device’s usernames and passwords.
The latter group of 40 apps, categorised by Strafach as medium and high-risk apps, could create far bigger problems, putting very sensitive data in risk’s way. The names of the applications from this group, however, have no been disclosed yet, and it will remain this way for at least two or three more months, during which developers will try to fix the problems.
While Apple is stressing the need for the developers to secure their applications’ data communications by HTTPS, with the use of the app’s transport security feature (ATS), in this case, this solution might not be helpful at all. Even though this year ATS is to become mandatory for all developers, according to Strafach it won’t help in this case because the attacker’s certificates will not be blocked by the ATS, as they appear to be valid; the feature does not see any reason to block it at all.
ATS doesn’t seem to be able to fix the problems, at least according to Strafach, because it allows apps to judge the validity of certificates. Only overriding this feature could help, yet it would make some of the apps less secure due to their inability of utilising certificate pinning for their connections. Therefore, there doesn’t seem to be much that Apple could have done to fix the problem.
“The onus rests solely on app developers themselves to ensure their apps are not vulnerable,” Strafach said and added that the risk of attacks is much greater when a user’s device is connected to a wi-fi, because “cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the US)”.
For now, Strafach advises the end users to avoid performing sensitive actions, like personal banking, from a wi-fi connection, and to use a cellular one instead.
Want to learn more about securing your personal data? Click here to contact i2Biz specialists and learn all about the latest security solutions.