What happens when tax season and flu season overlap? For many people, the answer used to be guaranteed headaches, nausea, and general malaise. Now there's an app for everything, though, and many promise to make it easier to manage your finances or track your health. The only problem: A researcher discovered that many of the App Store's wares are vulnerable to man-in-the-middle (MITM) attacks over what should be secure connections.
Will Strafach, the person who revealed the problem, said in a Medium post that it was found while "automatically scanning the binary code of applications within the Apple App Store en-masse" for a tool called Verify.ly that "allows you to scan the binary code of an iOS application to produce a human readable report detailing all detected common security issues and a breakdown of all useful security related information pertaining to the app."
"Our system flagged hundreds of applications as having a high likelihood of vulnerability to data interception," Strafach said in his post about the security flaws, "but at this time I will be posting details of the connections and data which I was able to fully confirm as vulnerable using a live iPhone running iOS 10 and a “malicious” proxy to insert an invalid TLS certificate into the connection for testing."
Strafach revealed 33 applications--including Vice News, Code Scanner by ScanLife, and others--that are vulnerable to these MITM attacks but don't manage sensitive data. The vulnerability was deemed a medium risk for 24 more apps and a high risk for another 19, the identities of which were not revealed because Strafach wanted to give their creators time to address the issue. The 76 apps have been downloaded a collective 18 million times.
This vulnerability could let attackers intercept or modify TLS-protected data handled by these apps. Strafach explained:
There are many potential avenues along the network path for this vulnerability class to be exploited in order to intercept and/or manipulate data. While it is certainly possible for an ISP or a rogue Wi-Fi provider to be the attacker, that is unlikely in most Western regions, and is not considered to be a serious risk. With regards to this sort of man-in-the-middle attack, a common analogy makes a reference to using the Wi-Fi connection within a coffee shop, or an airport, but lately I am starting to dislike the analogy as it is easy to misunderstand and minimize the perceived potential for attack. The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range. Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities.
Consumers are advised to switch to cellular networks when using sensitive apps--like those used to handle finances, health data, or other private information--because "cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal" in the United States. Strafach said companies and developers should also be more careful when creating apps that people trust with some of their most sensitive data.
Strafach said he will continue to investigate this vulnerability and will publish more information in 60 to 90 days. This should give many companies and developers enough time to update their apps, or at least acknowledge the problem, so the millions of people who use them aren't vulnerable to attack. Then perhaps "having personal data stolen from popular finance and health apps" can be removed from the list of things to worry about this season.