Dozens of popular iPhone apps are vulnerable to attacks that could allow hackers to intercept and steal potentially sensitive, encrypted data.
The findings, released in a blog post on Monday said the buggy apps could account for at least 18 million device downloads.
Among the 33 named apps, Uconnect Access can leak usernames and passwords, allowing an attacker to interfere with a user's vehicle, while Huawei HiLink can leak device data, and geolocation data and even keystrokes can be intercepted from users of Cheetah Browser.
Over 40 apps were confirmed as medium or high risk of man-in-the-middle attacks, allowing an attacker to intercept financial or medical service credentials.
Those affected apps weren't immediately named but are subject to a two- or three-month responsible disclosure period, during which the developers fix the issue, said Will Strafach, chief executive at Sudo Security Group (verify.ly), who wrote the blog post.
Strafach, whose company has a commercial stake in the mobile vulnerability space, said app users are safer when they're not using Wi-Fi.
"While on a cellular connection, the vulnerability does still exist. Cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the US)," he said.
What may be a simple enough problem could be difficult to fix across the board.
Badly implemented networking code by app developers means that the app will accept any certificate to establish an encrypted connection, according to Strafach.
An attacker within nearby range of a vulnerable device could trick the app into accepting their certificate, allowing them to siphon off any data to and from the app.
Making matters worse, Apple's app transport security feature won't block the attacker's certificate because it sees a valid encrypted connection.
And it's not as if Apple can help, said Strafach. If the company were to block the security flaw, it could make iPhone and iPad apps less secure, as apps would override certificate pinning, a security feature that prevents impersonation using fraudulent certificates.
"The onus rests solely on app developers themselves to ensure their apps are not vulnerable," he said.