Green and rotten apple

1,500 iOS apps vulnerable to security flaw

Written by

Published: April 22, 2015 8:00 PM

At least 1,500 iOS apps have been identified as vulnerable to a security flaw that could allow hackers access to user passwords and financial data.

Some weeks ago a vulnerability had been patched into an open-source code library known as AFNetworking.  This flaw had was fixed by those who maintain the library, but the IT security firm SourceDNA established that any developer who used the AFNetworking's library to update their apps between January 24th and March 25th unwittingly integrated the vulnerability into their apps.  Specificly, this vulnerability is a 'Man-in-the-middle', a type of security attack that redirects your information to an unwanted third party before sending the data to its intended destination.  As the data passes through the hands of this third party it can be scanned for important information; namely financial information and passwords.

The problem is that many of the developers of these apps simply failed to update their products to be vulnerability-free since the discovery.  It should only be a matter of time before the developers of these apps update what they used from AFNetworking so as to have the version that no longer carries the vulnerability.

Considering the App Store has a library of nearly 1.4 million apps,  the number of total affected apps is incredibly small.  Despite this, some pretty important developers used this open-source library.  ON their blog post about the vulnerability, SourceDNA say in reference to the affected apps:

Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.
If you are concerned over which apps are effected, you can search SourceDNA' security report.  SourceDNA as well has a blog post recounting their efforts to find the affected apps.

Were any of your apps affected by the vulnerability?