iOS Vulnerability: 76 Apps With Millions Of Downloads Found To Be Vulnerable To Data Theft

Apple’s App Store is generally considered a much safer app marketplace than its contemporaries, but at least 76 popular iOS apps were recently found to be susceptible to data interception according to a report from a security expert.

The concerning findings come from verify.ly, a service created by Sudo Security Group CEO Will Strafach. Using his service, which scans the binary code of an iOS application to produce a report of common security issue, Strafach was able to confirm a considerable number of heavily-downloaded apps were vulnerable to silent man-in-the-middle attacks.

The type of attacks the apps could fall victim to should be protected by Transport Layer Security, the protocol that secures communications between a client and a server. However, the apps fail to provide this security, and an attacker could inject an invalid TLS certificate into the communications to intercept user data.

“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use,” Strafach warns in a blog post on his findings. “This can be anywhere in public, or even within your home if an attacker can get within close range.”

He explained an attack could be carried out using custom hardware or a slightly modified smartphone, and compared the attack to that of a device that is able to skim data from credit cards.

The 76 apps found to be vulnerable to such attacks have amassed over 18 million total downloads from the App Store. While some are at a greater risk than others, users with any of the apps installed on their device will want to rethink hanging on to them.

Included in the list was ooVoo, a popular video chat service that leaves usernames and passwords vulnerable to interception. The issue has been present in the app since 2013 according to a report from Double Encore engineer Nick Arnott.

Other apps found to be at risk included the official app for Vice News, several third-party Snapchat apps, banking apps for banks based in Puerto Rico and Libya, and several popular and free virtual private network apps. The banking apps and VPNs are of particular concern as they should provide greater security and are more likely to carry sensitive information.

Strafach has yet to disclose the apps that are at a high risk, stating he wants to reach out to the developers first to fix the problem before exposing the vulnerabilities to those who may want to exploit them. However, he did note the apps include banks and medical providers.

Until the issue is fixed, Strafach advises users of these apps to only access them over a cellular network rather than on Wi-Fi, as it is more difficult to exploit the vulnerabilities via mobile network—though it is still possible.