Usually Apple fanboys brag a lot about the secure nature of iOS as compared to Android. However that doesn’t mean that every app on your iPhone is safe to use.
Recently a group of researchers at Sudo Security have discovered 76 applications with in the iOS App Store, that are vulnerable to man-in-the-middle attacks. What makes it more scarier is that these apps have more than 18 million device downloads.
The vulnerable apps were discovered during the development of firm’s mobile app analysis service verify.ly. It scans the binary code of applications within the Apple App Store.
Low, Medium and High Risk Apps
For 33 of the apps, this vulnerability was deemed to be low risk, vulnerable to intercept is only partially sensitive analytics data. These include Uconnect Access, Huawei HiLink, Tencent Cloud: and Cheetah Browser.
For 24 apps this vulnerability was deemed to be medium risk, whereas 19 of the iOS applications were found be high risk. The ability to intercept financial or medical service login credentials and/or session authentication tokens for logged in users.
Bad Code That Apple Can’t Stop Either:
These vulnerabilities exist due to badly implemented networking code by app developers. Any attacker within nearby range of a vulnerable device can inject their own certificate to intercept the user’s data.
App transport security feature by Apple won’t be able to stop attacker’s certificate because it sees a valid connection.
High Risk Apps aren’t named:
Currently, the list of medium and high risk apps are only available to limited parties due to sensitivity. These will be posted in a follow up within 60 to 90 days, after reaching out to affected parties.
There is no possible fix to be made on Apple’s side and the onus rests solely on app developers themselves to ensure their apps are not vulnerable.