A number of popular apps are vulnerable to a 'man-in-the-middle'attack due to poorly implemented TLS protection, an examination of apps in the iOS App Store has revealed, with a security researcher claiming it is possible to read data sent back to the app developer's servers for 76 apps.
A bulk scan of the App Store by researcher Will Strafach of Sudo discovered some apps are "vulnerable to silent interception" of data usually protected by Transport Layer Security (TLS), which can then be read or manipulated before being forwarded to the company's servers. The apps identified in the report are able to be fooled into providing readable data, with testing involving an iPhone running iOS 10 and a "malicious" proxy that provided invalid TLS certificates.
Strafach advises the attack could potentially be performed by the Internet service provider, but it is "unlikely in most Western regions." While it may be used in public places, with attackers posing as a Wi-Fi hotspot, Strafach suggests it could be used effectively anywhere within Wi-Fi range of the target device, with the potential for an attack to run from a "slightly modified mobile phone" or custom hardware, depending on the required range.
Of the identified apps, which are believed to have been collectively downloaded more than 18 million times, 33 are deemed to be low-risk apps, with accessible data found to be "partially sensitive" analytics and personal data, such as an email address, and "login credentials which would only be entered on a non-hostile network."
The vulnerable apps in question are said to have been downloaded more than 18 million times.
The ability to intercept service login credentials or session authentication tokens have been discovered in 24 apps, considered to be a medium risk to the vulnerability. A further 19 apps were deemed "high risk," due to the ability to intercept financial or medical service credentials, or access the session authentication token for logged-in users.
Apps labelled as medium or high risk are not named in the report, though Strafach plans to identify the apps within 60 to 90 days after reaching out to the developers, to give them time to correct the issue. The low-risk apps list include the messaging service ooVoo, Snap Upload for Snapchat, Uconnect Access, Tencent Cloud, and Trading 212 Forex & Stocks.
End users concerned about their security are advised by Strafach to turn off Wi-Fi in public and use their carrier's data plan if they want to access apps using sensitive data. While cellular connections are still vulnerable to the same attack, it is considered a more difficult and expensive task to undertake compared to Wi-Fi, making it less plausible for attackers to undertake.
It is noted that Apple's App Transport Security standard, a system for securing communications for iOS apps, is unable to thwart the attack. As ATS has to allow apps to "judge the certificate's validity," it could consider the illegitimate TLS connection as valid if the app deems it to be genuine.
"There is no possible fix to be made on Apple's side," Strafach asserts, as overriding this functionality would "actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections with an enterprise."
"Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable."