When downloading from a trusted app store, users generally believe security will not be an issue. Sadly, security can never be confirmed. Apple’s App Store, generally considered much secure compared to its contemporaries, was the recent prey. At least 76 popular iOS apps were found to be susceptible to data interception according to a report from a security expert.
These concerning findings come from verify.ly, a service created by Sudo Security Group CEO Will Strafach.
Strafach’s verify.ly service is dedicated to scanning apps in the iOS App Store searching for vulnerabilities to help developers understand how to harden and secure their code. The scans look for patterns in vulnerabilities to determine which applications are under threat.
The applications, found vulnerable to silent data interception, amassed over 18 million total downloads from the App Store. While each app is of varying risk level, needless to say, a user is safer with all of them removed from the system.
List of low-risk vulnerable apps
- Free Video Call, Text and Voice
- Snap Upload for Snapchat
- Uconnect Access
- Uploader Free for Snapchat
- Safe Up for Snapchat
- Tencent Cloud
- Uploader for Snapchat
- Huawei HiLink (Mobile WiFi)
- VICE News
- Trading 212 Forex & Stocks
- 1000 Friends for Snapchat
- YeeCall Messenger
- Loops Live
- Private Browser
- Cheetah Browser
- AMAN BANK
- FirstBank PR Mobile Banking
- VPN free
- Gift Saga
- Vpn One Click Professional
- Music tube
- Foscam IP Camera Viewer by OWLR for Foscam IP Cams
- Code Scanner by ScanLife: QR and Barcode Reader
Usually, protection by Transport Layer Security, the protocol that secures communications between a client and a server, prevents such breaches. Since the apps fail to provide this security, an invalid TLS certificate injected into the communications can intercept user data. The interception is possible regardless of whether the developers use Apple networking security feature, App Transport Security.
Strafach, in a blog post on his findings, stresses that:
The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.
There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
He explained an attack could be carried out using custom hardware or a slightly modified smartphone. This mode of attack is comparable to that of a device that is able to skim data from credit cards.
Apps Susceptible to Data Interception
One of the affected apps was ooVoo, a popular video chat service that leaves usernames and passwords vulnerable to interception. The issue has been present in the app since 2013 according to a report from Double Encore engineer Nick Arnott.
Other apps found to be at risk included the official app for Vice News, several third-party Snapchat apps, banking apps based in Puerto Rico and Libya, and several popular and free VPN apps. The banking apps and VPNs are of particular concern as they should provide greater security and are more likely to carry sensitive information.
Strafach stated that to protect data, it is a better idea to switch off your Wi-Fi and cellular data. Cellular networks are not as easily tracked as Wi-Fi networks. Hence, it is advisable to use cellular data to login to your bank account, make transactions and balance inquiry.
Strafach sorted the 76 apps into low, medium, and high-risk categories. He intends to reach out to developers to fix the problem before exposing the list of vulnerabilities.
The list will be revealed within ta few months so that cyber criminals can’t exploit apps before they are patched. Meanwhile, a list of low-risk apps has been released for user security. As of now, users are recommended to remove any app vulnerable to data interception, that they have installed.