A Staggering 1500 iOS Apps Vulnerable To Disastrous HTTPS Exploit
Another day, another story about a poor SSL implementation. According to analytics service SourceDNA, a staggering 1,500 iOS apps are bugged with a gaping HTTPS hole, allowing attackers to intercept traffic that should otherwise be secure.
The bug exists in a popular networking library called AFNetworking. If an app was built with version 2.5.1, it's vulnerable, whereas with 2.5.2, released a few weeks ago, is not. It'd be easy to write this issue off as one that affects a small number of developers, but SourceDNA says that even apps from Microsoft, Uber, and Yahoo were all affected. Those apps have since been fixed, but the other 1,500 problematic ones remain.
What's not entirely clear is if a bugged app has the ability to affect the entire device's security. That seems unlikely, but it still gives a reason for concern since things like passwords could be fetched out of thin air by someone sitting nearby. It's also not clear of any financial apps are affected, but if so, those would be outright dangerous to use until they get updated.
SourceDNA has launched a page that allows developers to see if their apps are affected. This is done in lieu of a full list as that would make it easier for exploiters to figure out which apps to target. Admittedly, though, you'd imagine that a developer is going to know if they updated one of their apps in the past few weeks, along with the AFNetworking library.
Nonetheless, let's hope that all of the problematic apps get updated before the week's through.