After scanning through the binary codes of applications in the iOS App Store, Will Strafach’s verify.ly service has detected that 76 popular apps in the store are currently vulnerable to data interception. The interception is possible regardless if App Store developers are using App Transport Security or not. A few months ago, similar vulnerabilities were discovered with Experian and myFICO Mobile’s iOS apps.
Strafach’s verify.ly service is dedicated to scanning apps in the iOS App Store searching for vulnerabilities to help developers understand how to harden and secure their code. The scans look for patterns in vulnerabilities and in more terrifying examples they’ll find them repeated throughout multiple applications. Today’s announcement is not only scary because the applications are so commonly used, but also because more than 18,000,000 downloads of the vulnerable app builds have been downloaded.
In the report, Strafach has sorted the 76 apps into low, medium, and high risk categories. “The App Transport Security feature of iOS does not and cannot help block this vulnerability from working”, states Strafach. ATS, introduced in iOS 9 was set to help improve user security and privacy by pushing apps to use HTTPS. Apple originally set a date of January 1st, 2017 for all apps to have the feature configured but has since pushed it back to an undetermined date. The issue relies in misconfigured networking code that causes Apple’s App Transport Security to see the connections as valid TLS connections, even if they’re not.
Some of the apps with low risk distinctions include: ooVoo, ViaVideo, Snap Upload for Snapchat, Uploader Free for Snapchat, and Cheetah Browser. Unsurprisingly a handful of the apps are Snapchat-centric applications, something Strafach discussed as being insecure last March.
As far as the medium and high risk applications go, Strafach is holding off on sharing that list until he’s properly communicated the issues with the appropriate developers and companies of the applications.
In the meantime, users can do a few things to help protect against these issues. A properly configured VPN could help mitigate against this issue, something we mentioned that Apple should implement on iOS natively. If user’s decide against using a VPN on their devices, Strafach recommends users turning off their Wi-Fi instead.
Head over to Strafach’s post for the full and more technical breakdown.