A number of flaws have been found in the AFNetworking code library that put iOS apps at risk of potential eavesdropping attacks. How can these flaws be detected and mitigated? Are there other options software developers should consider using instead to ensure iOS app security?
The AFNetworking library is one of the most popular open source networking frameworks for iOS and OS X. It's used by app developers to accelerate development times, as it handles the many complex networking tasks most modern apps need to perform. Unfortunately, a logic flaw was present in the Github repo from Jan. 24 to March 25 in versions 2.1.0 to 2.5.2. Any developer who updated his or her app during that period could have integrated the vulnerable library into their app. Minded Security, which found the vulnerability, estimates that at least 25,000 iOS apps available in Apple's App Store could be affected.
The vulnerability is serious because it enables an attacker to launch an SSL man-in-the-middle attack to steal or modify Internet traffic sent and received by a vulnerable app that a user thinks is safely encrypted. The problem arises because although the AFNetworking library checks that a Web server's digital certificate is issued by a valid certificate authority (CA), it doesn't verify by default that the domain name requested matches the domain name in the certificate. This means that as long as an attacker uses a valid SSL certificate signed by a trusted CA, they can eavesdrop on or modify an SSL session initiated by an app using this flawed library. For example, an attacker could pretend to be Apple.com just by presenting a valid certificate for malicioushacker.com.
This flaw was fixed in version 2.5.3, and developers who use the AFNetworking library should ensure their app uses this version or later. A quick fix for developers using a vulnerable version is to set the validatesDomainName flag to" YES" -- the default value of validatesDomainName is set to "YES" in version 2.5.3.
Adding certificate pinning would also prevent the attack from working. SourceDNA has provided a free search tool that developers -- and users for that matter -- can use to see if their apps are vulnerable. The Alamofire HTTP networking library is a possible alternative to the AFNetworking library, and those developers who don't want to use third-party frameworks can use Apple's Foundation framework classes NSURLConnection and NSURLSession to communicate with servers using standard Internet protocols.
Developers should always monitor the relevant security mailing lists of any third-party libraries they use to ensure they stay abreast of any security issues that may affect iOS app security. Vulnerabilities found in open source components, frameworks and libraries are rapidly exploited by hackers as they can automate their attacks knowing that any applications built using the flawed code are vulnerable until a patch is released and installed.
Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Learn more about developing mobile apps
Dig Deeper on Platform security
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.