Home / Explore Technology / iPad Apps / Report: Security Flaw Lets Hackers Snoop on 76 iPhone Apps

Report: Security Flaw Lets Hackers Snoop on 76 iPhone Apps

HTTPS encryption is good, but it won't protect you from the sort of man-in-the-middle attack that security researchers said this week can affect dozens of popular iPhone and iPad apps.

The attack derives its man-in-the-middle moniker from the fact that hackers can exploit it by routing your Internet traffic through their servers first before it arrives on the open Web. If they're able to do so—say, by hijacking your Wi-Fi connection—they'll be able to intercept data using a fake TLS certificate, one of the building blocks of HTTPS encryption. In most cases, they'll be undetected by the app security built into Apple's iOS mobile operating system, according to iOS security expert Will Strafach.

"The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use," iOS security expert Will Strafach wrote in a Medium post. "This can be anywhere in public, or even within your home if an attacker can get within close range."

It's not a new threat: hackers have been able to snoop on iOS and Android apps for years. But this particular implementation is significant, Strafach said, because there's little Apple can do to thwart it.


"Apple's 'App Transport Security' mechanism will see the connection as a valid TLS connection, as it must allow the application to judge the certificate validity if it chooses to do so," he explained. "There is no possible fix to be made on Apple's side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections."

Instead, developers themselves must fix the issue by ensuring their code doesn't contain any vulnerabilities that would cause it to incorrectly identify a TLS certificate. In the meantime, end users can reduce their exposure by only using apps that send sensitive information when their phone is connected to a secured Wi-Fi network or using cellular data.

Strafach said he has confirmed that at least 76 iOS apps are vulnerable to the attack, and there could be hundreds more. The severity of the threat depends on the type of data the app is sending, with many apps only transmitting basic information like crash reports. He said he is withholding the names of many of the vulnerable apps to give their developers time to address the issue.

Read more

Check Also

Apple’s enterprise strategy begins to take shape

When Apple announced its partnership with GE this week, it would have been easy to dismiss it as another random collaboration from a company people don’t generally associate with the enterprise. After all, Apple killed off their enterprise server product years ago. You might rightly ask, what exactly do they have to do with the enterprise these days? But if you consider the notion of… Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.