Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Data on 76 iOS TLS-protected apps vulnerable to MITM attack

A researcher has reported finding 76 iOS programs in Apple's App Store that, despite using the TLS security protocol, are vulnerable to man-in-the-middle (MITM) attacks that intercept and modify data in motion.

According to Will Strafach, CEO of mobile security company Sudo Security Group, a misconfiguration in these apps' networking-related code causes Apple's “App Transport Security” mechanism to interpret even insecure connections as a valid TLS connections. This leaves these programs susceptible to exploits that leverage malicious proxies to insert invalid TLS certifications into connections, Strafach explained, in a blog post published on Medium.

Nineteen of the 76 vulnerable apps pose a high risk for users, the blog post continues, because they give attackers the ability to intercept financial or medical service login credentials or session authentication tokens. Strafach will wait 60 to 90 days before publishing the list of medium- and high-risk apps, to give their developers time to resolve the issue. A list of affected low-risk apps can be found in the blog post.

The problem is not fixable on Apple's end, added Strafach, who noted that he found "hundreds more" applications with a high likelihood of possessing the same vulnerability, but chose only to count those instances that he could 100 percent confirm.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.