HTTPS Vulnerability Means Some 1,500 iOS Apps Are Totally Exposed

By Tom Pritchard on at

Remember the good ol' days when people insisted Apple products were totally secure and free from security concerns? Ignorance, as they say, is bliss, because these days there are more vulnerabilities than you can shake a stick at. Case in point, an apps vulnerability that lets hacker bypass HTTPS security to steal sensitive information.

According to analytics firm SourceDNA, the problem can be traced back to open source code library AFNetworking. Version 2.5.1, which was released in January, included a bug that could let someone skip a validation check and access an iOS device on the same Wi-Fi network. Then all they have to do is present a fake SSL certificate which would let them easily decrypt HTTPS data.

Version 2.5.2 was released three weeks ago, but a number of iOS apps are still using the old insecure code. Apparently that includes big names like Uber, Movies by Flixster, and Alibaba. SourceDNA has contacted apps developers directly, and a number of major companies have apparently made changes to their apps. That said, a lot of apps are still exposed.

If you're concerned about the apps on your device, there is a web-based tool you can use to see if you're still at risk. [Ars Technica via Apple Insider]