1,500 app for iOS subject to a vulnerability HTTPS

A computer security company identified a vulnerability in over 1,500 app for iOS. The cause of the problem has already been eliminated, but many applications have not yet been updated.

Something like 1,500 app for iOS are subject to a vulnerability that could allow the circumvention of security mechanisms HTTPS and theft of passwords and other sensitive data is identified by the company as security SourceDNA, which states that the problem is due to AFNetworking, an open-source library that many applications use for networking functions.

Version 2.5.1 released in January has accidentally introduced a bug that leaves a way to an attacker on the same WiFi network (or making use of another system that allows you to monitor connections) to present a fake SSL certificate and then decrypt successfully information HTTPS.

This problem causes AFNetworking jumps a validation check. The problem has been fixed in version 2.5.2 about three weeks ago, but many of the iOS app still make use of the old version of the code. Among the applications still vulnerable are those of Alibaba, Uber, Movies by Flixster and Citrix OpenVoice Audio Conferencing.

SourceDNA said they analyzed 1 million app on the beyond 1.4 million games on the App Store, including all the free apps, and only the first in 5000 ranks among the paid app. The app vulnerable not only make use of the outdated version of AFNetworking, but they are not even able to use the mechanism of pinning of the certificates, which allows only specific certificates for HTTPS. The function is disabled by default in pinning AFNetworking.

The main companies and software houses holders app indicted have already been contacted so that they can solve the problem in the shortest time possible. Reality as Uber, Yahoo and Microsoft have already made the necessary corrections, although some of their apps are still vulnerable.