A researcher has reported finding 76 iOS programs in Apple’s App Store that, despite using the TLS security protocol, are vulnerable to man-in-the-middle (MITM) attacks that intercept and modify data in motion.
According to Will Strafach, CEO of mobile security company Sudo Security Group, a misconfiguration in these apps’ networking-related code causes Apple’s “App Transport Security” mechanism to interpret even insecure connections as a valid TLS connections. This leaves these programs susceptible to exploits that leverage malicious proxies to insert invalid TLS certifications into connections, Strafach explained, in a blog post published on Medium.
Nineteen of the 76 vulnerable apps pose a high risk for users, the blog post continues, because they give attackers the ability to intercept financial or medical service login credentials or session authentication tokens. Strafach will wait 60 to 90 days before publishing the list of medium- and high-risk apps, to give their developers time to resolve the issue. A list of affected low-risk apps can be found in the blog post.
The problem is not fixable on Apple’s end, added Strafach, who noted that he found “hundreds more” applications with a high likelihood of possessing the same vulnerability, but chose only to count those instances that he could 100 percent confirm.