76 Popular iOS Apps On App Store Found To Be Vulnerable To User Data Interception
Scanning the App Store for vulnerable apps is a big job, but Will Strafach’s verify.ly service has detected that there are 76 popular apps in the store which are currently vulnerable to data interception.
The discovery is unrelated to whether App Store developers take advantage of Apple’s App Transport Security, with apps remaining vulnerable even when fully compliant. While 76 apps may not sound like a lot given the number of apps currently available in the App Store, those apps are very much of the popular variety, with a cumulative 18 million downloads. That’s a lot of people susceptible to data inception.
Verify.ly has broken the apps down into three categories; low, medium, and high risk, going so far as to name some of those impacted. That said, 19 high and 24 medium risk apps have not been named as yet, with Strafach preferring to ensure that all of the developers involved with those apps have been notified ahead of time. 33 Low risk apps already named include a lot of apps related to Snapchat, and include ViaVideo, Snap Upload for Snapchat, and Uploader Free for Snapchat. Cheetah Browser and ooVoo amongst others are also listed by Strafach.
“The App Transport Security feature of iOS does not and cannot help block this vulnerability from working”, according to Strafach. ATS, which Apple introduced as part of iOS 9, was devised to improve user security and privacy by encouraging apps and their developers to use HTTPS for the transmitting of data.
Apple did set a date of January 1st, 2017 for all apps to have the feature configured but that date has since slipped. At the moment, Apple isn’t offering a new date at all. From our understanding of the issue at hand today, attacks would take advantage of mis-configured networking code that in turn can cause App Transport Security to believe that connections are legitimate TLS connections, even when they are not.
There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
Until fixes roll out by the app developers, users can try and reduce the risk of falling foul to data injection by using a VPN or simply avoiding public WiFi access points – both good security practices anyway. Or simply delete the apps until they get updated.