76 popular iPhone apps are vulnerable to man in the middle attacks.
iPhone users are quite vulnerable to attack thanks to popular buggy apps downloaded from the Apple App Store. Will Strafach wrote in a blog post that after scanning apps within the Apple App Store he found 76 apps that users should be wary of.
The issue with these apps is that they leave the user vulnerable to man in the middle attacks over WiFi connections. Attackers within range of the users phone using either specialized equipment, or a modified mobile phone, could easily carry out an attack.
This attack is made possible due to a misconfiguration within networking related code which allows attackers to insert an invalid TLS certificate into the connection. The iPhone will trust this invalid certificate, and attacks can be carried out. Unfortunately, this error is of the type which Apple can not fix, instead, it falls to the developers to fix their code.
These 76 vulnerable apps have been downloaded in total more than 18 million times.
Of the 76, 33 of the apps were deemed low risk. Low risk was defined as attackers only being able to intercept analytics about the device, and potentially email addresses and login credentials. 24 of these apps were deemed medium risk. Medium risk defined as onfirmed ability to intercept service login credentials and/or session authentication tokens for logged in users. The remaining 19 apps were deemed high risk defined as confirmed ability to intercept financial or medical service login credentials and/or session authentication tokens for logged in users.
Will Strafach identified the low risk apps in his blog post along with how these vulnerabilities can be exploited for the individual apps. He will discuss the medium and high risk apps in 60 to 90 days “after reaching out to affected banks, medical providers, and other developers of sensitive applications which are vulnerable.”
That should make iPhone users feel a little less than comfortable.