Sudo Security Group finds at least 76 popular iOS apps aren’t securing user data properly

iOS / Mobile / Security / Tech
iOS apps

According to researchers, some iOS app builders are not encrypting your personal data properly.

According to the Sudo Security Group, at least 76 popular iOS apps aren’t securing your data properly. The apps in question seem to be vulnerable to an attack that leaves the transmitted data interceptable. The app developers of these apps have misconfigured a networking code that allows acceptance of invalid Transport Layer Security (TLS) certificates. The TSL is there to secure the app’s communication over your internet connection, preventing sensitive data from being seen. Sudo Security Group discovered the vulnerability by using their own software to inject invalid TSL certificates into an iPhone running iOS 10 then scanning the iOS apps finding the vulnerability.

“This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use,” Strafach said. “This can be anywhere in public, or even within your home if an attacker can get within close range.”

The company has disclosed a list of apps that they deem low-risk as the data they are revealing isn’t highly sensitive. The remaining iOS apps that the company deems as high-risk have not been released as they are contacting them to make them aware of the situation. We can say those apps do include banks, medical providers and other highly-sensitive applications.

“Be extremely careful when inserting network-related code and changing application behaviors,” he wrote. “Many issues like this arise from an application developer not fully understanding the code they’ve borrowed from the web.”

List of low-risk apps that have this vulnerability:

  • ooVoo
  • VivaVideo
  • Snap Upload for Snapchat
  • Uconnect Access
  • Volify
  • Uploader Free for Snapchat
  • Epic!
  • Mico
  • Safe Up for Snapchat
  • Tencent Cloud
  • Uploader for Snapchat
  • Huawei HiLink
  • VICE News
  • Trading 212 Forex & Stocks
  • CashApp
  • FreeMyApps
  • 1000 Friends for Snapchat
  • YeeCall
  • InstaRepost
  • Loops Live
  • Privat24
  • Private Browser
  • Cheetah Broswer
  • AMAN BANK
  • FirstBank PR Mobile Banking
  • vpn free
  • Gift Sage
  • Vpn One Click Professional
  • Music tube
  • AutoLotto
  • Foscam IP Camera Viewer
  • Code Scanner

Users of affected apps can protect themselves by turning off the Wi-Fi when in a public location, Strafach says. That will force the phone to use a cellular connection to the internet, making it much harder for any hacker to eavesdrop unless they use expensive and illegal equipment, Strafach said.

Be sure to hit the Medium link below to read Will Strafach’s full post and more detailed analysis of the entire situation. What do you think of this story? Let us know in the comments below or on Twitter, Facebook, and Google+.

  Source: Infoworld  Source: Medium
Comments
To Top