More than two-dozen popular apps for iPhones and iPads are still leaking sensitive information, such as login details for their services, despite having months to roll out a fix.
Earlier this year, Will Strafach set out to see which popular iPhone apps were vulnerable to man-in-the-middle attacks, which allow attackers to intercept data as it’s being passed from a device to a server.
Strafach, chief executive at Sudo Security Group (verify.ly), surveyed thousands of apps and found dozens that had badly implemented code that allowed the app to accept any certificate to establish an encrypted connection without properly validating it. That means a hacker within close range of a vulnerable device — such as the same Wi-Fi network — could trick the app into accepting a rogue certificate. The app doesn’t know any better, and the hacker can steal your username and password.
Strafach disclosed the names of dozens of low-risk apps, but held off on disclosing the banking and medical apps in order to privately disclose the issue to each app developer.
Time has passed — three months specifically, the standard time in any disclosure process — and while some of the affected apps have been fixed, many have not.
Strafach confirmed that HipChat and Foxit PDF were the only two popular high-risk apps that were vulnerable, but were since fixed.
However, the majority of the rest of the apps were not fixed, and still expose user credentials.
Several banking apps, including Emirates NBD and 21st Century Insurance are still vulnerable to having the customer’s username and password intercepted if the apps were subject to a man-in-the-middle attack.
CERT, the public vulnerability database run by Carnegie Mellon University, said in its disclosures posted Thursday that users of Think Mutual Bank and Space Coast Credit Union, which were also named in Strafach’s list, should “not use affected versions of the application.”
Also included in the list of apps that could expose usernames and passwords if intercepted include Yo, a social networking tool; Diabetes in Check, a blood glucose level checker; and Dolphin Web Browser, which promises the user “private” internet search.
And other apps, such as one that allows Indiana residents to vote, were vulnerable to attacks, said Strafach, though he didn’t conduct extensive testing due to the sensitivity of the app.
Strafach said in a note that the easiest way to limit any issues is to use your phone’s data plan, or not to use the app at all.