After scanning the binary codes of some downloadable applications via the App Store on iOS, the verify.ly service Will Strafach found that 76 famous applications of Cupertino digital store are vulnerable to interception of data managed.
The operation is possible regardless of the use of the App Transport Security technology and is not an absolute novelty in the field iOS since some months ago were found similar vulnerabilities on Experian and myFICO Mobile app for the Apple OS.
verify.ly is a special service for the detection of vulnerabilities on iOS apps, and aims to help developers improve the security of code written. The scans are in search of the typical pattern of known vulnerabilities since in some cases the same ” mistakes ” are repeated on different applications. Announcements made by Stravach care because of the spread of the app involved, downloaded a total of 18 million times by many iOS users.
” The App features Transport Security cannot block the vulnerabilities that we found, ” said Strafach. ATS has been implemented for the first time on iOS 9 and obliges the App Store applications to use HTTPS when necessary. The company had imposed on 1 January 2017 as the deadline for compliance with the requirement, Later, he has sent all at a later date. The vulnerability is based upon a network code configured incorrectly enabling the feature App Transport Security to consider how TLS connections that really are not protected in any way.
According to Apple security expert’s words cannot do much with the possible solutions that could make other applications for iOS less secure. The only ones to be able to put a permanent patch are the same developers of the app involved, making sure that the code used is not present vulnerability. Strafach divides the 76 applications with different levels of risk: low, medium and high.
Among these, we find ooVoo, ViaVideo, Snap Upload for Snapchat, Uploader Free for Snapchat and Cheetah Browser. It can mitigate the problem the users themselves, for example, by using a VPN or off totally free Wi-Fi connection on the terminal.
The latter solution is of course not feasible at all times, but it is still recommended when you are in a public place, and you have to perform sensitive actions on your smartphone (for example, the simple execution of a banking app).
Vulnerability reported by Strafach is still present even if the user connects via cellular network, but in the latter case, the interception of data is more difficult, expensive tools and the attack would be much more obvious to the victim. Further details and a partial list of apps vulnerable to this address.