Dozens of applications for Apple’s mobile devices are vulnerable to WiFi snoopers, a security researcher reported this week.
Will Strafach, CEO of the Sudo Security Group, identified 76 popular iOS apps available at Apple’s App Store that were vulnerable to wireless eavesdroppers, even though the connections were supposed to be protected by encryption.
There have been 18 million downloads of the vulnerable apps, he said.
Strafach categorized 33 of the vulnerable apps as “low risk.” Potentially intercepted information included partially sensitive analytics data about a device and partially sensitive personal data, such as an email address or login credentials.
VivaVideo, Snap Upload for Snapchat, Volify, Loops Live, Private Browser, Aman Bank, FirstBank, VPN One Click Professional, and AutoLotto: Powerball, MegaMillions Lottery Tickets are some of the apps he assigned to the low-risk category.
Strafach categorized another 24 iOS apps as “medium risk.” Potentially intercepted information included service login credentials and session authentication tokens for users logged onto the network.
Strafach labeled the remaining apps “high risk” because potentially intercepted information included the snatching of financial or medical services login credentials.
He did not identify the medium and high risk apps by name, in order to give their makers time to patch the vulnerability in their apps.
How concerned should users be about their security when using these apps?
“I tried to leave out anything regarding concern level, as I do not want to freak people out too much,” Strafach told TechNewsWorld.
“While this is indeed a big concern in my opinion, it can be mostly mitigated by turning off WiFi and using a cellular connection to perform sensitive actions — such as checking bank balances — while in public,” he said.
Man in the Middle Attack
If anything, Strafach is understating the problem, maintained Dave Jevans, vice president for mobile security products at Proofpoint.
“We’ve analyzed millions of apps and found this is a widespread problem,” he told TechNewsWorld, “and it’s not just iOS. It’s Android, too.”
Still, it likely is not yet a cause for great alarm, according to Seth Hardy, director of security research at Appthority.
“It’s something to be concerned about, but we’ve never seen it actively exploited in the wild,” he told TechNewsWorld.
What the vulnerability does is enable a classic man-in-the-middle attack. Data from the target phone is intercepted before it reaches its destination. It is then decrypted, stored, re-encrypted and then sent to its destination — all without the user’s knowledge.
To do that, an app needs to be fooled into thinking it’s communicating with a destination and not an evesdropper.
“In order for a man-in-the-middle attack to be successful, the attacker needs a digital certificate that’s either trusted by the application, or the application is not properly vetting the trust relationship,” explained Slawek Ligier, vice president of engineering for security at Barracuda Networks.
“In this case, it appears that developers are developing applications in a way that allows any certificate to be accepted,” he told TechNewsWorld. “If the certificate is issued and not expired, they’re accepting it. They’re not checking if it’s been revoked or even if it’s properly signed.”
Should Apple act to weed these vulnerable apps from behind its walled garden?
“Apple should most certainly remove any of the offending apps from the App Store,” said Sam McLane, head of security engineering at Arctic Wolf.
“This is something that is relatively easy to test for and should be enforced by Apple, since the trust model starts with the Apple ecosystem being safe for people to use,” he told TechNewsWorld.
Strafach disagreed. “The setup now is exactly as it should be with regards to developer control of networking code,” he said. “Developers can do something about this problem. For affected apps, the fix is only a few lines — less than an hour tops, if that, to fix the matter in affected code.”
If Apple tried to address this app vulnerability, it could create headaches for developers, especially those developing enterprise apps, noted Simeon Coney, chief strategy officer for AdaptiveMobile.
“A lot of app developers rely on current behaviors to do things like enterprise apps, which may not have a public certificate,” he told TechNewsWorld, “so the responsibility lies more with the app developers to make sure their apps aren’t bundled with this risk.”
Apple doesn’t want to force developers to fully trust certificates, added Ligier. “It will break a lot of things, especially internal apps, and generate a lot of unhappy users,” he said.
Nevertheless, developers should not release apps that allow for third-party certificates to be blindly accepted, McLane maintained.
“This is entirely in their hands to remedy,” he said. “It’s easily tested and only out of laziness would someone ever ship an app that had this egregious security hole in production level code.”