An HTTPS bug is leaving 1,500 iOS apps vulnerable to man-in-the-middle attacks. Analytics company SourceDNA (via arsTechnica), reports the bug could allow bad actors to intercept data from an iPhone or iPad and access logins and other sensitive information sent via the HTTPS protocol.
A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate.
Thousands of apps rely on open-source networking code AFNetworking to handle their connection to servers. Version 2.5.1, which debuted in January, contains a bug that doesn’t check HTTPS security certificates.
A fix for the issue was released in version 2.5.2 in March, however, around 1,500 iOS apps are still using the old version.
Vulnerable apps include: Citrix OpenVoice Audio Conferencing, the Alibaba.com mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale.
While SourceDNA originally kept the name of the vulnerable apps form the public, in order to give the developers time to fix the issue, it has now provided a search tool to allow iOS users to search by developer.
Users who find that any apps they use are still vulnerable to the attack are encouraged to avoid using them on public Wi-Fi hotspots.
If you use the tool and find an app you use is vulnerable, please share the information with others in the comments section below.
The search tool is available at the SourceDNA website.