From time to time, there are websites that check the vulnerability of the iOS App Store to any potential attacks or security breaches. The reason for this is so that the app developers are able to know how they could secure and make their codes harder to decipher.
Just recently, Will Strafach’s verify.ly service was able to detect that there were a number of popular apps available in the App Store susceptible to data interception. The service found the vulnerability on 76 popular apps that were similarly discovered a few months ago on Experian and myFICO Mobile’s iOS apps.
The scariest thing about this vulnerability is that the affected apps have been downloaded over 18,000,000 times combined.
On his report, Strafach classified each of the 76 apps depending on how risky they were– low, medium, and high. The service was also able to determine that interception was possible whether or not the developers were using App Transport Security (ATS) since iOS was not able to help block the vulnerability from functioning.
Apple first introduced ATS when they launched iOS 9 as a way of improving user privacy and security by forcing apps to use HTTPS. Originally, Apple’s plan was to have all iOS apps configure this feature on January 1, 2017.
But ever since, the idea has been pushed back to a further unspecified date due to a misconfigured networking code issue with the ATS. According to Apple, ATS was unable to correctly see connections as valid TLS connections.
There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
Strafach’s list included the following apps:
- Cheetah Browser
- Snap Upload for Snapchat
- Uploader Free for Snapchat
Strafach noticed that most of the low risk apps were applications that centered around Snapchat, something he had earlier discussed as insecure. The medium and high risk apps were not yet released by Strafach as he intends to communicate more with the app developers and companies to discuss more of the issues properly.
For users who wish to safeguard their device against such issues, Strafach recommends a properly configured VPN to help mitigate against the issue. If a VPN is not something they wish to use, the best thing to do is to switch off Wi-Fi whenever the device is in a public location to access a sensitive site, such as your bank account.
Prior to performing the sensitive action, you can open Settings and switch off Wi-Fi. This, however, does not mean cellular connection is safest. Vulnerability using this connection still exists but is more difficult and requires more expensive hardware. Plus, it is far more noticeable and illegal.
Read more about Strafach’s report on the link.