Some 1,500 iOS apps exposed to serious HTTPS vulnerability, analytics firm says

Approximately 1,500 iOS apps are exposed to a vulnerability that could let a hacker bypass HTTPS security and steal passwords and other sensitive data, according to research released on Monday.

Analytics firm SourceDNA said the problem traces back to AFNetworking, an open-source code library many apps use for networking functions. Version 2.5.1, released in January, accidentally introduced a bug which could let someone on the same Wi-Fi network — or otherwise able to monitor a connection — present a fake SSL certificate and successfully decrypt HTTPS data.

The glitch causes AFNetworking to simply skip a validation check. The issue was first noted by ArsTechnica.

The problem was solved with a v2.5.2 update three weeks ago, but many iOS apps are still using the old code, including some prominent titles like Alibaba, Uber, Movies by Flixster, and Citrix OpenVoice Audio Conferencing.

The number of exposed apps could exceed 1,500. SourceDNA said it analyzed 1 million of the 1.4 million titles in the App Store, including all free titles, but only the top 5,000 paid ones. Affected apps were not only using an outdated version of AFNetworking but failing to use certificate pinning, which allows only a specific certificate for HTTPS. Pinning is off by default in AFNetworking.

Before coming to a final tally SourceDNA contacted developers privately, allowing some of them to fix the issue. Major companies like Uber, Yahoo, and Microsoft are said to have made app changes, although some of their apps are still exposed. A web-based search tool can be used to learn if an app is vulnerable or has already been patched.

Late last week, security researcher Patrick Wardle wrote that OS X 10.10.3 has failed to completely fix RootPipe, a flaw that could allow Mac software to gain root access without authenticating. Wardle said that he is deliberately withholding details from the public for safety's sake, but has already notified Apple.