Dozens of apps in the Apple App Store have been found to be susceptible to man-in-the-middle attacks even if the apps are using App Transport Security as has been made mandatory by Apple.
The lapse was discovered by security experts at Sudo Security Group Inc. who found at least 76 apps to be vulnerable to data interception while communicating with back-end servers. A forged certificate is all that is needed to unencrypt the TLS while the data is en-route to the server. If that is not enough, what can be further worrisome is the fact that the apps concerned are among the more popular ones, together accounting for more than 18 million downloads.
The app’s vulnerabilities came to light while the researchers were conducting static analysis in bulk of the application binaries using verify.ly in the Apple App Store. The verify.ly service is used to detect security irregularities to help developers ensure their codes are resilient to such attacks.
Will Strafach, President of Sudo also stated the App Transport Security isn’t enough to prevent such vulnerability though it is not known as of now if more apps could be equally vulnerable. Apple had introduced App Transport Security as part of iOS 9 and required developers to make the app use HTTPS for better security.
Strafach further categorized the 76 app in the low, medium and high risk category. Those that have been found to be in the low-risk category include the Cheetah Browser, ooVoo, ViaVideo, Snap Upload for Snapchat, along with Uploader Free also for Snapchat.
Strafach though is holding back from revealing the names of app in the medium and high risk category. He said he will reveal the names but only after he has discussed in detail the issue with the developers and companies that created the app.
The Sudo president meanwhile advised users to have a configured VPN in place to ward of the threat. Turning the Wi-Fi off is also recommended for those who aren’t keen to use VPN.