Thousands of iOS apps left open to snooping thanks to SSL bug

iOS developers are being urged to update their apps to use the latest version of a library that fixes a security flaw that leaves their apps exposed to man-in-the-middle attacks.
Written by Liam Tung, Contributing Writer

Researchers have uncovered around 25,000 iOS apps that use old versions of a popular networking library, leaving them open to attackers on the same network viewing encrypted traffic.

The bug affects Secure Sockets Layer (SSL) code in AFNetworking, a networking library developers can use to build components of iOS apps. The framework has been updated three times in the past six weeks, addressing numerous SSL flaws that leave apps vulnerable to man-in-the-middle attacks.

The latest version of AFNetworking, 2.5.3, fixes a weakness in the library's domain name validation process. SourceDNA, the security firm that discovered the recurrent flaw, said on Friday that at least 25,000 apps are still running an outdated version.

"If you are using AFNetworking (any version), you must upgrade to 2.5.3," SourceDNA said. "Also, you should enable public key or certificate-based pinning as an extra defense. Neither of these game-over SSL bugs affected apps using pinning."

Explaining the bug, SourceDNA added: "Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using."

The net result for end users is that an attacker on the same wi-fi network could fairly easily view data in transit, which should otherwise have been encrypted. "Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50," Source DNA said.

Somewhat oddly, the bug appears to have crept back into the 2.5.2 release despite the same issue being addressed in a prior version.

As per AFNetworking's update on GitHub last week, the library's default security policy now validates the domain name and doesn't validate against pinned certificates or public keys.

The bug in the 2.5.2 release was discovered by a security engineer at Yelp, one of many companies that use the library. Security researchers looking at previous SSL bugs in the library have noted that other popular apps such as Pinterest, Heroku, and Simple used it for OS X and iOS apps.

Read more on iOS security

Editorial standards