25,000 iOS Apps Exposed to Attacks by SSL Bug in AFNetworking

25,000 iOS Apps Exposed to Attacks by SSL Bug in AFNetworking

Thousands of iOS applications by major developers such as Microsoft and Yahoo have been compromised by a bug that affects SSL (Secure Sockets Layer) code in AFNetworking. AFNetworking is a networking library that programmers use to build components for iOS applications. Researchers have reported that the framework has been updated three times during the last six weeks. The frequent updates were aimed particularly at SSL vulnerabilities that may be exploited in man-in-the-middle attacks.

The number of affected applications is estimated at 25,000.

Any criminal mind with a server certificate can take advantage of the applications’ weakness, and view encrypted traffic, says security report on the matter. Researchers also note that any valid SSL certificate can be used to decrypt data.

MitM attacks often exploit the option to alter communications between two sites unaware of the third-party intrusion. A perfect example of MitM attacks is the so-called eavesdropping.

Additionally, an attack could have been triggered anywhere, even in public places that provide Internet connection, just because the domain name wasn’t checked.

The SSL flaw was discovered by Ivan Leichtling from the multinational corporation Yelp.

Curiously enough, AFNetworking security team had already dealt with the vulnerability prior to the release that was also aimed at an SSL-generated bug, but somehow the fix was left out.

The fix itself was in regard to an absence of SSL certificate validation. The latter grants any attacker with a self-promoted certificate the chance to intercept with encrypted traffic.

Researchers later found out that a good deal of developers had not updated their products after the patch was initiated. Thus, the users of thousands of iOS applications remained exposed to attacks.

Developers are advised to integrate the new AFNetworking as soon as possible, so that domain name validation is activated by default.