A number of flaws have been found in the AFNetworking code library that put iOS apps at risk of potential eavesdropping...
attacks. How can these flaws be detected and mitigated? Are there other options software developers should consider using instead to ensure iOS app security?
The AFNetworking library is one of the most popular open source networking frameworks for iOS and OS X. It's used by app developers to accelerate development times, as it handles the many complex networking tasks most modern apps need to perform. Unfortunately, a logic flaw was present in the Github repo from Jan. 24 to March 25 in versions 2.1.0 to 2.5.2. Any developer who updated his or her app during that period could have integrated the vulnerable library into their app. Minded Security, which found the vulnerability, estimates that at least 25,000 iOS apps available in Apple's App Store could be affected.
The vulnerability is serious because it enables an attacker to launch an SSL man-in-the-middle attack to steal or modify Internet traffic sent and received by a vulnerable app that a user thinks is safely encrypted. The problem arises because although the AFNetworking library checks that a Web server's digital certificate is issued by a valid certificate authority (CA), it doesn't verify by default that the domain name requested matches the domain name in the certificate. This means that as long as an attacker uses a valid SSL certificate signed by a trusted CA, they can eavesdrop on or modify an SSL session initiated by an app using this flawed library. For example, an attacker could pretend to be Apple.com just by presenting a valid certificate for malicioushacker.com.
This flaw was fixed in version 2.5.3, and developers who use the AFNetworking library should ensure their app uses this version or later. A quick fix for developers using a vulnerable version is to set the validatesDomainName flag to" YES" -- the default value of validatesDomainName is set to "YES" in version 2.5.3.
Adding certificate pinning would also prevent the attack from working. SourceDNA has provided a free search tool that developers -- and users for that matter -- can use to see if their apps are vulnerable. The Alamofire HTTP networking library is a possible alternative to the AFNetworking library, and those developers who don't want to use third-party frameworks can use Apple's Foundation framework classes NSURLConnection and NSURLSession to communicate with servers using standard Internet protocols.
Developers should always monitor the relevant security mailing lists of any third-party libraries they use to ensure they stay abreast of any security issues that may affect iOS app security. Vulnerabilities found in open source components, frameworks and libraries are rapidly exploited by hackers as they can automate their attacks knowing that any applications built using the flawed code are vulnerable until a patch is released and installed.
Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Learn more about developing mobile apps
Take a deeper look at iOS in the enterprise and its potential security issues
Dig Deeper on Platform security
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading