ras-slava - Fotolia
Approximately 76 iOS apps, with purposes ranging from mobile banking to handling medical information, were found to be vulnerable to man-in-the-middle (MitM) attacks. Nineteen of these apps are considered high-risk, as sensitive information can be stolen by local network attackers. What made these iOS apps vulnerable to MitM attacks, and how can developers prevent such future instances?
Will Strafach, a mobile security expert and CEO of Sudo Security Group, found these 76 popular iOS applications to be vulnerable to silent MitM attacks and the manipulation of data in motion, which should be protected by transport layer security (TLS). The discovery came during the development of the web-based mobile app analysis service Verify.ly, which enables users to scan the binary code of an iOS application and generate a report detailing any common security issues detected.
According to Apptopia estimates, more than 18 million users have downloaded vulnerable versions of these apps, 19 of which enable an attacker to intercept financial or medical service login credentials and session authentication tokens for logged in users.
The MitM attacks can be launched by any hacker within Wi-Fi range of a victim's device while it is in use. It only requires a slightly modified mobile phone or custom hardware, depending on the range and capabilities required.
Strafach used an iPhone running iOS 10 and a malicious proxy to insert an invalid TLS certificate into connections during testing. He also pointed out that the App Transport Security (ATS) feature of iOS does not and cannot block this vulnerability from being exploited.
ATS is a feature that Apple introduced in iOS 9. When it's enabled, it forces an app to connect to web services over an HTTPS connection rather than HTTP. Its use has been mandatory since Jan. 1, 2017 for all developers who want to submit their apps to the App Store.
The problem lies with how developers implement networking-related code within their iOS applications. Strafach doesn't go into detail about the particular misconfigurations he found, but this puts the onus solely on app developers to ensure their apps implement ATS correctly.
Many software vulnerabilities, like those discovered by Strafach, occur because developers don't read the documentation for the frameworks they use to build their apps. They also don't fully understand the code they've cut and pasted from examples on the internet, and are under too much time pressure to be able to fully test the apps and ensure they're secure before releasing them.
A common situation that leads to weaknesses in authentication, encryption and other security controls is that developers override or bypass default functionality, such as TLS validation. This is often done to speed up development times, but developers then forget to restore the secure settings or to remove code used for internal testing before releasing the app to the public.
During development, any changes made to override the default functionality must be documented and flagged for removal prior to release. Any code reused from the internet should only be added to a project if its purpose is fully understood; it should also be documented. Any code or settings that bypass security checks should be removed once the app reaches the alpha phase of development, so the security of the app can be fully tested well before its final release.
While this specific vulnerability can be exploited for MitM attacks over both Wi-Fi and cellular connections, intercepting a cellular connection is far more difficult, requires expensive hardware and is far easier to detect. Therefore, users who are concerned about the security of any apps on their smartphone that transmit sensitive data, such as banking or medical apps, should turn off Wi-Fi and only use a cellular data connection when using them.
Find out how a Slack vulnerability exposed user authentication tokens and private data
Learn how Fruitfly Mac malware's decades-old code escaped detection
Read how insecure OAuth implementations in mobile apps could be putting you at risk
Dig Deeper on Mobile application security best practices
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading