Around 1,500 iPad and iPhone applications were reported to have contained an HTTPS bug that makes it possible and simple for hackers to intercept encrypted passwords, bank account numbers, and other highly sensitive information, by SourceDNA.
Approximately two million individuals have installed the vulnerable applications which include the Citrix OpenVoice Audio Conferencing, Movies by Flixster with Rotten Tomatoes, the Alibaba.com mobile app, Revo Restaurant Point of Sale, and KYBankAgent 3.0 according to analytics service by SourceDNA. According to the analyst, the vulnerability is as a result of an HTTPS bug in an outdated version of the AfNetworking, which is an open-source code library that enables developers to drop networking capabilities into their applications. Although, the library itself has been patched by AfNetworking maintainer with the release of a newer version, but many applications still remain vulnerable because they are still using the older version. The newer version has been available since January and introduced the HTTP-crippling flaw. Researchers Simon Bovi and Mauro Gentile wrote in a blog saying, “we tested the app on a real device and, unexpectedly, we found that all the traffic could be regularly intercepted through a proxy like Burp without any intervention” (sic).
According to a report by SourceDNA, about 1,500 applications were still vulnerable to hackers that can decrypt encrypted HTPPS data. To take advantage of the HTTPS bug, attackers on a public Wi-Fi network or other locations who are monitoring the connection of a vulnerable device need to only present it with a false SSL certificate. Typically the credential would instantly be detected as false, and the connection would be terminated. But because of the HTTPS bug in the older version, the validation check is never done and so fraudulent un-trusted certificates are accepted.
It should be noted in any case, that this vulnerability does not break security framework-wide. Rather, it poses a threat when a vulnerable application is active or running. Simply put, if you have a vulnerable Alibaba.com application running, only the data sent through the specific application will be at risk; but the data sent using, for instance, the eBay application or through the Amazon website will remain secure. SourceDNA has analyzed the binary code of each of the free applications, in addition to the 5,000 paid ones to compile its list.
SourceDNA has so far, kept the list of applications vulnerable to the HTTPS bug private in order to prevent an actual attack. The organization has now released a search tool that will allow end users to check if their favorite or a particular application has been affected. The tool will be updated on a regular basis to remove applications that have been fixed and add up those that are vulnerable to the list.
iOS users are encouraged to spend a few minutes to check if any of their applications are among the ones found to be vulnerable to the HTTPS bug.