Dozens of iOS apps vulnerable to data theft, despite ATS mandate

SHARE


Enterprise iOS users, beware: 76 popular iOS apps are vulnerable to silent man-in-the-middle attacks that allow data to be intercepted and stolen, regardless of whether or not developers are using App Transport Security (ATS), a report from verify.ly found.

These apps have a combined total of 18 million downloads, according to verify.ly, a service that scans through binary codes of applications in the iOS App Store searching for vulnerabilities.

This news comes despite Apple’s efforts to ramp up iOS app security. In June 2016, Apple announced that it would require all iOS apps to use HTTPS connections by January 1, 2017. However, in December 2016, Apple said it was extending this deadline, but has yet to announce a date.

Once the deadline is set, apps must enforce the ATS feature, which was originally released with iOS 9. ATS forces the connections to HTTPS instead of HTTP, in order to strengthen privacy.

However, “The App Transport Security feature of iOS does not and cannot help block this vulnerability from working,” Will Strafach, co-founder of verify.ly, wrote in a Monday post on Medium.

SEE: How to migrate to HTTPS using App Transport Security when developing iOS apps

In the post, Strafach explained that 33 of the applications are considered low-risk, in that “all data confirmed vulnerable to intercept is only partially sensitive analytics data about the device, partially sensitive personal data such as e-mail address, and/or login credentials which would only be entered on a non-hostile network.” Low-risk apps include Snap Upload for Snapchat, VICE News, Cheetah Browser, and CodeScanner by ScanLife.

Twenty-four of the iOS applications fall into the “medium risk” category, in that verify.ly “confirmed ability to intercept service login credentials and/or session authentication tokens for logged in users.” And 19 of the apps are considered high risk, with “confirmed ability to intercept financial or medical service login credentials and/or session authentication tokens for logged in users.”

While Strafach listed all 33 of the low-risk apps in his post, those marked as medium or high risk will be publicly released in 60-90 days, after the company reaches out to the affected banks, medical providers, and other developers of sensitive applications.

Unfortunately, app developers are the only party who can fully mitigate these vulnerabilities, Strafach said. “It is derived from networking-related code within iOS applications being misconfigured in a highly unfortunate manner,” he wrote.

Because of this, the ATS feature will see the connection as a valid HTTPS connection, Strafach said. “There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI,” he wrote in the post.

Therefore, it’s the responsibility of app developers to ensure their product is not vulnerable, Strafach said. He also advised developers to use caution when changing the app behaviors or using network-related code.

Companies that offer an application in the iOS App Store should consider analyzing builds prior to submitting the app to the store, Strafach wrote. In the meantime, since this vulnerability is most likely to be exploited over Wi-Fi, end users who need to check sensitive data in an app while on a public network should open “Settings,” and turn the “Wi-Fi” switch off prior to using the app, as it would be much more difficult for an attacker to intercept information over a cellular network.

The 3 big takeaways for TechRepublic readers

  1. Seventy-six iOS apps with a combined 18 million downloads are vulnerable to data theft, according to new data from app security firm verify.ly.
  2. These apps experienced vulnerabilities whether or not developers used Apple’s App Transport Security, which forces connections to HTTPS instead of HTTP
  3. Developers are the only ones who can solve these vulnerabilities, according to verify.ly co-founder Will Strafach. In the meantime, companies and end users can also take steps to protect their sensitive data.

Also see