Will Strafach, a security researcher, discovered dozens of iOS apps which should be encrypting their users’ data and don’t do it properly. The issue might be given by some misconfiguration in their codes.
Will Strafach is the CEO of Sudo Security Group. He discovered the vulnerability of 79 iOS apps to attacks that can intercept protected data. Strafach thought that this situation was caused by the misconfiguration the developers performed in the code that related to networking. Thus, the apps came to accept invalid Transport Layer Security (TLS) certificates.
TLS provides the security of an app’s information over internet connection. If an app doesn’t have TLS, hackers can spy on a network and intercept all data the app sends, including login information. Such attacks can occur within Wi-Fi range of your device. Therefore, your data might be at risk anywhere in public or even at home, if the attackers get close enough.
Strafach noticed the vulnerability of the apps after he scanned them with verify.ly, the security service developed by his company. This service marked hundreds of apps as likely to have their data intercepted. However, he has only confirmed only 76 of them to be actually vulnerable.
How did he find out, though? He opened the apps on an iPhone with iOS 10 and, using proxy, he introduced invalid TLS certificates into the connection. From all 76 apps, 43 of them were at high or medium risk, because they exposed login information.
What is even more problematic is that some of them are related to medical services, banks, or other sensitive apps. Their names are not disclosed so that they can have time to solve their security issues.
The remaining apps posed low security risks, because they revealed not so sensitive information, for example email addresses. Among these ones are apps for video uploading on Snapchat, some not so popular music streaming services, or the free messaging platform ooVoo.
Overall, these 76 apps score add up to 18 million downloads. Strafach has tried to contact the developers and warn them about the issue. All they have to do to solve the problem would be to change a few code lines.
As an advice for iOS users, they can protect their data by not using Wi-Fi services when in public. If they use their mobile data for an internet connection, it will be more difficult for hackers to access their private information.
Image Source: Flickr