Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / Report: 1,500 iOS Apps Have Flaw
SourceDNA Warns 1,500 iOS Apps Have Security Flaw
SourceDNA Warns 1,500 iOS Apps Have Security Flaw
By Frederick Lane / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
A report published by SourceDNA on Monday revealed that approximately 1,500 apps in the Apple iTunes store contain an HTTPS-crippling flaw. Hackers can exploit the vulnerability to seize passwords, financial information, and other private data.

The security hole was discovered in software called AFNetworking, an open source library used by app developers to add networking capabilities to their programs. The vulnerability popped up in version 2.5.1 of AFNetworking, but was quickly patched with version 2.5.2.

"The day the flaw was announced and patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed," according to the company. "Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code. The results: 55 percent had the older but safe 2.5.0 code, 40 percent were not using the portion of the library that provides the SSL API, and 5 percent or about 1,000 apps had the flaw."

We reached out to SourceDNA for additional information but did not receive a reply.

Risky Coffee Shops

SourceDNA, which routinely scans and evaluates the code used in mobile apps, estimates that approximately 2 million people have downloaded apps that still contain the vulnerability. Examples of the more popular apps affected by the issue are Movies by Flixter with Rotten Tomatoes, the mobile app, and even Citrix's OpenVoice Audio Conferencing.

The vulnerability is typically exploited in coffee shops with public Wi-Fi, or other locations where a user's connection can be monitored by a hacker. With the correct software, that individual can present the user's device with a fraudulent secure sockets layer certificate.

The AFNetworking software is supposed to check the authenticity of certificates and break off the networking connection if the certificate is invalid. In version 2.5.1 of the AFNetworking software, however, a logic error prevents the check from occurring. As a result, every SSL certificate would be accepted as valid, giving a hacker the ability to intercept sensitive data.

The Vulnerability of Coffee Shops

The news regarding the AFNetworking vulnerability underscores the fact that free Wi-Fi in coffee shops, hotels, and other public locations is inherently insecure.

Security firm Kaspersky offers a number of important tips for protecting data on the go. Among them: treat public Wi-Fi cautiously; use a virtual private network to connect to the Wi-Fi network; have anti-virus and anti-malware software installed and ensure that it's up to date; avoid surfing sensitive Web sites (such as financial institutions, social media, etc.) when using public networks; and consider using a mobile device to connect directly to a cellular network, or using a tethered connection through your phone to bypass the public Wi-Fi altogether.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.