A report published by SourceDNA on Monday revealed that approximately 1,500 apps in the Apple iTunes store contain an HTTPS-crippling flaw. Hackers can exploit the vulnerability to seize passwords, financial information, and other private data.
The security hole was discovered in software called AFNetworking, an open source library used by app developers to add networking capabilities to their programs. The vulnerability popped up in version 2.5.1 of AFNetworking, but was quickly patched with version 2.5.2.
"The day the flaw was announced and patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed," according to the company. "Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code. The results: 55 percent had the older but safe 2.5.0 code, 40 percent were not using the portion of the library that provides the SSL API, and 5 percent or about 1,000 apps had the flaw."
We reached out to SourceDNA for additional information but did not receive a reply.
Risky Coffee Shops
SourceDNA, which routinely scans and evaluates the code used in mobile apps, estimates that approximately 2 million people have downloaded apps that still contain the vulnerability. Examples of the more popular apps affected by the issue are Movies by Flixter with Rotten Tomatoes, the Alibaba.com mobile app, and even Citrix's OpenVoice Audio Conferencing.
The vulnerability is typically exploited in coffee shops with public Wi-Fi, or other locations where a user's connection can be monitored by a hacker. With the correct software, that individual can present the user's device with a fraudulent secure sockets layer certificate.
The AFNetworking software is supposed to check the authenticity of certificates and break off the networking connection if the certificate is invalid. In version 2.5.1 of the AFNetworking software, however, a logic error prevents the check from occurring. As a result, every SSL certificate would be accepted as valid, giving a hacker the ability to intercept sensitive data.
The Vulnerability of Coffee Shops
The news regarding the AFNetworking vulnerability underscores the fact that free Wi-Fi in coffee shops, hotels, and other public locations is inherently insecure.
Security firm Kaspersky offers a number of important tips for protecting data on the go. Among them: treat public Wi-Fi cautiously; use a virtual private network to connect to the Wi-Fi network; have anti-virus and anti-malware software installed and ensure that it's up to date; avoid surfing sensitive Web sites (such as financial institutions, social media, etc.) when using public networks; and consider using a mobile device to connect directly to a cellular network, or using a tethered connection through your phone to bypass the public Wi-Fi altogether.