Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
IOS Software Communications Encryption Network Networking Operating Systems Privacy Security The Internet Apple Technology

Dozens of Popular iOS Apps Vulnerable To Intercept of TLS-Protected Data ( 53

Researchers at Sudo Security Group Inc. discovered seventy-six popular applications in Apple's iOS App Store that had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attack. According to Ars Technica, the applications could be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the internet. From their report: The discovery was initially the result of bulk analysis done by Sudo's, a service that performs bulk static analysis of application binaries from Apple's App Store. Will Strafach, president of Sudo, verified the applications discovered by the system were vulnerable in the lab, using a network proxy configured with its own Secure Socket Layer certificate. In the post about his findings being published today, Strafach wrote: "During the testing process, I was able to confirm 76 popular iOS applications allow a silent man-in-the-middle attack to be performed on connections which should be protected by TLS (HTTPS), allowing interception and/or manipulation of data in motion. According to Apptopia estimates, there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to be affected by this vulnerability."

The data exposed by the vulnerability in each of the applications varied in sensitivity. For just less than half -- 33 of the applications -- the risk was relatively low, as most of the data was "partially sensitive analytics data," Strafach said. These apps included a number of third-party "uploader" apps for Snapchat (which exposed Snapchat usernames and passwords) and the Vice News app, among others. In 24 cases, the exposed data included login credentials or session tokens that would allow an attacker to hijack the account associated with the application, though those accounts were not tied to highly sensitive data. However, the remaining 19 applications left sensitive data exposed to attack. In these cases, Strafach "confirmed ability to intercept financial or medical service login credentials and/or session authentication tokens for logged in users."

This discussion has been archived. No new comments can be posted.

Dozens of Popular iOS Apps Vulnerable To Intercept of TLS-Protected Data

Comments Filter:
  • by AHuxley ( 892839 ) on Tuesday February 07, 2017 @03:14AM (#53817287) Homepage Journal
    Something new and internal to iOS between the user and app seller?
    A totally new network to Apple, the user and back to the app server/services?
    Make apps buy any trusted certificate they want and then be required use it?
    Anyone have any news on the cellular interception side in the wild? Thanks.
    Can a desktop computer do better? Has this all been fixed on most desktop OS?
    • This hack requires the victim to be connected to an usecure (or spoofed) wifi network (+ a vulnerable app).
      • by Anonymous Coward

        Or any network with terms of service or employment that authorize monitoring of network traffic.

    • Can a desktop computer do better? Has this all been fixed on most desktop OS?

      The article is sparse on details, but yes it sounds like an issue with not validating the certificate. From reading it looks like the apps are just connecting and accepting whatever certificate is presented.

      Assuming that's the case, the MitM takes place because the app doesn't verify the entire chain of trust back to the CA. The operation of going back through each link in the chain can take a (relatively) long time across a network, and can be quite slow on mobile networks. It may have been an intentiona

  • who cares? (Score:4, Interesting)

    by muffen ( 321442 ) on Tuesday February 07, 2017 @05:33AM (#53817541)
    76 apps missing cert pinning, how is that a story?
    So the attack is this then:

    1) Find user with non-certpinning app installed
    2) Trick user into installing a cert
    3) Trick the user into trusting the newly installed cert
    4) Modify the network settings on the users device to re-direct traffic via mitm proxy, or attack network such that traffic is re-directed via mitm proxy.
    5) How is this a story worth posting?

    I have no problems using apps without certpinning, any successfully attack requires, at the very least, two stupid decisions on part of the user.
    Also, not using certpinning != vulnerability.
    • by Anonymous Coward on Tuesday February 07, 2017 @06:11AM (#53817613)

      Because it's a excuse to talk shit about Apple, that's why it's Slashdot News worthy.

    • Re: who cares? (Score:2, Interesting)

      by Anonymous Coward

      The issue is not about cert pinning. This is about no TLS validation occurring, the apps use TLS to ensure ATS stays happy but you can use even a fresh self-signed certificate to perform the intercept.

  • by Anonymous Coward

    Are you sure about that? You can definitely pin certificates in iOS. The trustkit library provides an implementation, for example.
    poÅYet baskı []

    • Are you sure about that? You can definitely pin certificates in iOS. The trustkit library provides an implementation, for example. []

      You're expecting me to download security advice from a site called Why not link to this site [] instead?

You are always doing something marginal when the boss drops by your desk.