A security report has found at least 76 popular iOS apps vulnerable to data interception. The apps have over 18 million downloads from the app store.
The vulnerability discovered by researchers at Sudo Security Group was found to implement encrypted communications with their back-end services in a way that user information could be intercepted by a third person. The app mechanism can be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined thus having access to the data that the app entails of the user.
The apps range from social media add-on apps like third-party uploaders for Snapchat to banking apps like FirstBank PR, many of which contain sensitive user credentials that stand the risk of being leaked.
The report points out that at the moment nearly 33 of the applications — less than half — had a relatively low risk as most of the data was only partially sensitive. For the next 24 of the iOS apps, the vulnerability was deemed to be medium risk and 19 of these apps were at high risk as they contained financial or medical service login credentials.
The blog mentions how the App Transport Security (ATS) feature, which is supposed to keep data secure on iOS, does not and cannot help block this vulnerability from working. ATS debuted on the iOS 9 and when enabled it forces an app to connect to web services over an HTTPS connection rather than HTTP to keep user data secure while in transit by encrypting it.
Although the blog mentions the names of some low-risk apps like Snap Upload, Viva Video, Vice News, Mico and Tencent Cloud, it does not mention the names of high-risk ones citing security concerns.
"Currently, this list is only available to limited parties due to sensitivity," writes Will Strafach, president of Sudo.