The IT security researchers at Verify.ly, a service responsible for scanning the binary coding of iOS apps to identify any prevailing security flaws, 76 popular iOS apps are not safe to be used. Verify.ly suggests that these are extremely common apps, with a combined total of 18 million downloads. The problem is that these apps possess no protection against the devastating silent data interception of TLS-protected data.
The research team at Verify.ly tested the shortlisted 76 apps, which included browser apps, Vice News app and various VPN apps and found all of them to be exploitable. Apparently, attackers can launch a silent man-in-the-middle attack using the inherent vulnerability and intercept, exploit and even steal crucial user data such as bank account login credentials.
Verify.ly founder Will Strafach released a detailed report in which he outlined the findings clearly, and stated that 33 apps out of the vulnerable 76 are categorized as low-risk while 24 are in the medium-risk group and 19 are counted as high-risk apps.
Strafach further stated that their system has shortlisted “hundreds of applications” that are likely to have higher vulnerability to data interception. He tested the company’s claim using a “live iPhone running iOS 10” along with a “malicious proxy” to embed an invalid TLS certificate inside the connection.
It must be noted that the medium and low risk groups of apps are not vulnerable to confidential user data interception but the high risk group apps are highly vulnerable to giving out valuable data including financial or medical service credentials including username and passwords.
Strafach also clarified that unlike other devices that require being on the same Internet network to be exploited, the case is not the same with iOS apps and the attack can be conducted by anyone who is within the Wi-Fi network range of the device. “This can be anywhere in public, or even within your home if an attacker can get within close range,” added Strafach.
It was also identified that the App Transport Security feature, which is the highlight of iOS apps, is helpless in blocking the vulnerability from intercepting the data in motion. Strafach stated that to protect data, it is a better idea to switch off your Wi-Fi and cellular data. Also, it is a wise strategy to use cellular data to login to your bank account, making transactions and balance inquiry. The reason is that cellular networks are not as easy to be tracked as Wi-Fi networks are.
List of high-risk vulnerable apps:
Strafach did not reveal the list of high-risk apps. The reason for this is that researchers have already informed the impacted companies and given them a time of 60 to 90 days to issue security apps. The list will be revealed upon a follow up within two to three months since cyber criminals can use those apps if their names are published before patching them. However, the category of those apps include banks, medical services and developers of other sensitive apps.
List of low-risk vulnerable apps:
- Free Video Call, Text and Voice
- Snap Upload for Snapchat
- Uconnect Access
- Uploader Free for Snapchat
- Safe Up for Snapchat
- Tencent Cloud
- Uploader for Snapchat
- Huawei HiLink (Mobile WiFi)
- VICE News
- Trading 212 Forex & Stocks
- 1000 Friends for Snapchat
- YeeCall Messenger
- Loops Live
- Private Browser
- Cheetah Browser
- AMAN BANK
- FirstBank PR Mobile Banking
- VPN free
- Gift Saga
- Vpn One Click Professional
- Music tube
- Foscam IP Camera Viewer by OWLR for Foscam IP Cams
- Code Scanner by ScanLife: QR and Barcode Reader
If you are using any of these apps; it is better to delete them and use as less as possible since the former National Security Agency (NSA) chief Michael Hayden revealed a shocking story about iPhone apps. According to Der Spiegel, a salesman approached Hayden and his wife in an Apple store and praised the iPhone, saying that there were already “400,000 apps” for the device. Hayden, amused, turned to his wife and quietly asked: “This kid doesn’t know who I am, does he? Four-hundred-thousand apps mean 400,000 possibilities for attacks.”
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.