Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

TLS vulnerability in popular iOS apps allows user data to be intercepted in man-in-the-middle attack

A number of popular apps are vulnerable to a 'man-in-the-middle'attack due to poorly implemented TLS protection, an examination of apps in the iOS App Store has revealed, with a security researcher claiming it is possible to read data sent back to the app developer's servers for 76 apps.

A bulk scan of the App Store by researcher Will Strafach of Sudo discovered some apps are "vulnerable to silent interception" of data usually protected by Transport Layer Security (TLS), which can then be read or manipulated before being forwarded to the company's servers. The apps identified in the report are able to be fooled into providing readable data, with testing involving an iPhone running iOS 10 and a "malicious" proxy that provided invalid TLS certificates.

Strafach advises the attack could potentially be performed by the Internet service provider, but it is "unlikely in most Western regions." While it may be used in public places, with attackers posing as a Wi-Fi hotspot, Strafach suggests it could be used effectively anywhere within Wi-Fi range of the target device, with the potential for an attack to run from a "slightly modified mobile phone" or custom hardware, depending on the required range.

Of the identified apps, which are believed to have been collectively downloaded more than 18 million times, 33 are deemed to be low-risk apps, with accessible data found to be "partially sensitive" analytics and personal data, such as an email address, and "login credentials which would only be entered on a non-hostile network."

The vulnerable apps in question are said to have been downloaded more than 18 million times.

The ability to intercept service login credentials or session authentication tokens have been discovered in 24 apps, considered to be a medium risk to the vulnerability. A further 19 apps were deemed "high risk," due to the ability to intercept financial or medical service credentials, or access the session authentication token for logged-in users.

Apps labelled as medium or high risk are not named in the report, though Strafach plans to identify the apps within 60 to 90 days after reaching out to the developers, to give them time to correct the issue. The low-risk apps list include the messaging service ooVoo, Snap Upload for Snapchat, Uconnect Access, Tencent Cloud, and Trading 212 Forex & Stocks.

End users concerned about their security are advised by Strafach to turn off Wi-Fi in public and use their carrier's data plan if they want to access apps using sensitive data. While cellular connections are still vulnerable to the same attack, it is considered a more difficult and expensive task to undertake compared to Wi-Fi, making it less plausible for attackers to undertake.

It is noted that Apple's App Transport Security standard, a system for securing communications for iOS apps, is unable to thwart the attack. As ATS has to allow apps to "judge the certificate's validity," it could consider the illegitimate TLS connection as valid if the app deems it to be genuine.

"There is no possible fix to be made on Apple's side," Strafach asserts, as overriding this functionality would "actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections with an enterprise."

"Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable."



6 Comments

asdasd 21 Years · 5682 comments

Im thinking of the man in the middle. Im asking him to change his ways.  

OutdoorAppDeveloper 15 Years · 1292 comments

They should adopt CloudKit if at all possible. Apple will handle the security (one thing they are very good at) and it is simple to implement and extremely reliable. CloudKit is free for most developers since the quotas scale by the number of active users.

asdasd 21 Years · 5682 comments

grangerfx said:
They should adopt CloudKit if at all possible. Apple will handle the security (one thing they are very good at) and it is simple to implement and extremely reliable. CloudKit is free for most developers since the quotas scale by the number of active users.

Probably even with cloud kit they would have to handle Key Pinning. Theres a fundamental flaw in TLS.

kruegdude 13 Years · 340 comments

I would really like to know now if my banking apps are vulnerable, not 60-90 days from now. Seems to me this is too important to wait.  Also, the general nature of the man in the middle attack is not targeting those specific apps so we're not giving up anything to the bad guys that they  don't have already. 

Bill

rick chapman 9 Years · 20 comments

It would be nice to know exactly which apps they found that are compromised. People could then double check their devices and maybe remove them until these issues are corrected.