1,500 iOS Apps Vulnerable to Hacks Due to Outdated Code

secure phone hack lock1,500 apps within the iOS App Store are vulnerable to man-in-the-middle attacks due to a bug in the way they establish secure connections with servers, meaning that anyone intercepting data from an iPad or iPhone could access logins, passwords and other sensitive material sent using the HTTPS protocol.

The bug was spotted by analytics company SourceDNA, who report that Yahoo, Microsoft, Uber and Citrix were among the companies with the flawed code in one or more of their apps, exposing millions of users to attack.

Man-in-the-middle attacks enable a fake wi-fi hotspot to intercept data from devices connected to it. Usually, these sorts of attacks, often called coffee shop hacks, are impossible because the fake hotspots lack the correct security certificates, but the bug means that the apps fail to check the certificate.

The vulnerability originated in the open-source networking code AFNetworking, that is used by thousands of apps to handle connecting to servers. Version 2.5.1 of the code, introduced in January, contained the bug that meant HTTPS security certificates werent checked.

While a corrected version of the code, 2.5.2, was introduced three weeks ago, fixing the vulnerability, a scan of apps within the iOS App Store found that around 1,500 were still using the old version with the vulnerability.

“It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack,” said a spokesperson for SourceDNA on a blog post announcing their work.