Fresh off the heels of this flaw in iOS along with this flaw in iOS comes another flaw that is a real threat to iOS users. Here’s the details:
We began auditing the AFNetworking SSL code after the previous vulnerability was announced. Version 2.5.1 would accept self-signed certificates (pretty much game over for your users’ data). It was released for only 6 weeks, and yet 1,500 apps+ were affected.
A few weeks ago, we found that version 2.5.2 did fix this issue, but there was another flaw nearby in the same code. Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using.
This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet. Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.
This flaw affects up to 25,000 apps which is downright scary. If you’re worried about this, and you should be, SourceDNA set up an online service called Searchlight that can be used to check if the iOS apps installed on your iDevices are vulnerable.
One thing that you should know is that this service shows that apps from large developers like Microsoft, Yahoo and Google are potentially affected by the AFNetworking flaws. It really sounds like Apple and a lot of other people have a lot of work to do to fix this before some evil doer exploits this.
Related
This entry was posted on April 27, 2015 at 10:21 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Another iOS Flaw Breaks Security For Thousands Of Apps
Fresh off the heels of this flaw in iOS along with this flaw in iOS comes another flaw that is a real threat to iOS users. Here’s the details:
We began auditing the AFNetworking SSL code after the previous vulnerability was announced. Version 2.5.1 would accept self-signed certificates (pretty much game over for your users’ data). It was released for only 6 weeks, and yet 1,500 apps+ were affected.
A few weeks ago, we found that version 2.5.2 did fix this issue, but there was another flaw nearby in the same code. Domain name validation could be enabled by the
validatesDomainNameflag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using.This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet. Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.
This flaw affects up to 25,000 apps which is downright scary. If you’re worried about this, and you should be, SourceDNA set up an online service called Searchlight that can be used to check if the iOS apps installed on your iDevices are vulnerable.
One thing that you should know is that this service shows that apps from large developers like Microsoft, Yahoo and Google are potentially affected by the AFNetworking flaws. It really sounds like Apple and a lot of other people have a lot of work to do to fix this before some evil doer exploits this.
Share this:
Like this:
Related
This entry was posted on April 27, 2015 at 10:21 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.