Apple’s iPhone is more secure than its rivals, but that doesn’t mean that apps or the device itself can’t be hacked. A security researcher discovered a flaw in some 76 App Store apps with more than 18 million downloads between them that would allow a malicious individual to capture certain data from the iPhone. The security issue can’t be fixed by Apple directly. Instead, each developer should handle with extra care network-related code that might interfere with Apple’s default practices for transporting data over a secured connection.
Will Strafach used his verify.ly service to discover 76 applications that can be leak data about yourself. The security exploit takes advantage of a data transfer protocol that might be misconfigured in certain apps.
A security feature introduced by Apple in iOS 9 called App Transport Security feature is meant to force app data transfers over secured HTTPS. But misconfigured network code in an iOS app can fool the ATS protocol to see a connection as TLS-protected (HTTPS) even when it’s not. A hacker with knowledge of the issue would be able to siphon off data from an iPhone over a Wi-Fi connection.
Strafach divided the 76 apps into three categories, including low-risk (33 apps), medium-risk (24 apps), and high-risk (19 apps).
A high-risk app would leak financial or medical service login credentials and session authentication tokens for logged users. A medium-risk app would let the hacker intercept login credentials and session authentication tokens for logged in users.
Low-risk apps would leak partially sensitive data about the device, including email address and login credentials.
The researcher posted the 33 low-risk apps he discovered complete with information on what kind of information hackers can steal. For example, Snap Upload for Snapchat would give a hacker the username and password to Snapchat — check out the full list at this link.
Strafach did not share the medium- and high-risk apps and chose to reach out to affected “banks, medical providers, and other developers of sensitive applications which are vulnerable,” before identifying them. He will post more information about them in 60 to 90 days.
The same problem affected Experian in 2016 and PayPal in 2010.
The attacks, however, aren’t exactly simple, and they require knowledge of the issue, specialized equipment, and proximity to a target who must have installed on his or her device vulnerable apps.
What you can do until then is to avoid connecting to any untrusted Wi-Fi network for any sensitive data exchanges, such as internet banking sessions. Choose cellular data instead, which would make it nearly impossible for a hacker to intercept the same data. Of course, if hackers are targeting you for any reason, then you might have some bigger problems to deal with than worrying about what Wi-Fi network to trust when you’re not at home.
