Report: Security Flaw Lets Hackers Snoop on 76 iPhone Apps

report-security-flaw-lets-hackers-snoop-on-76-iphone-apps photo 1

HTTPS encryption is good, but it won't protect you from the sort of man-in-the-middle attack that security researchers said this week can affect dozens of popular iPhone and iPad apps.

The attack derives its man-in-the-middle moniker from the fact that hackers can exploit it by routing your Internet traffic through their servers first before it arrives on the open Web. If they're able to do so—say, by hijacking your Wi-Fi connection—they'll be able to intercept data using a fake TLS certificate, one of the building blocks of HTTPS encryption. In most cases, they'll be undetected by the app security built into Apple's iOS mobile operating system, according to iOS security expert Will Strafach.

"The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use," iOS security expert Will Strafach wrote in a Medium post. "This can be anywhere in public, or even within your home if an attacker can get within close range."

It's not a new threat: hackers have been able to snoop on iOS and Android apps for years. But this particular implementation is significant, Strafach said, because there's little Apple can do to thwart it.

Related

  • Apple Exposes iOS Security DetailsApple Exposes iOS Security Details

"Apple's 'App Transport Security' mechanism will see the connection as a valid TLS connection, as it must allow the application to judge the certificate validity if it chooses to do so," he explained. "There is no possible fix to be made on Apple's side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections."

Instead, developers themselves must fix the issue by ensuring their code doesn't contain any vulnerabilities that would cause it to incorrectly identify a TLS certificate. In the meantime, end users can reduce their exposure by only using apps that send sensitive information when their phone is connected to a secured Wi-Fi network or using cellular data.

Strafach said he has confirmed that at least 76 iOS apps are vulnerable to the attack, and there could be hundreds more. The severity of the threat depends on the type of data the app is sending, with many apps only transmitting basic information like crash reports. He said he is withholding the names of many of the vulnerable apps to give their developers time to address the issue.

Recommended stories

More stories

6 of the Best Uses of Drones

Drones – also known as unmanned air vehicles (UAVs) – are fun and they shoot amazing aerial videos, but that's not all drone technology can offer...