One of the reasons that Apple decided early on that every app had to be submitted to be reviewed before going to the App store was so that the company could be sure that the apps would work as promised and not compromise the iPhones and iPads they are installed on. Recently a HTTPS snooping flaw that didn’t come from the apps themselves, but from a third-party library affected thousands of iOS apps.
The apps that were affected by the snooping flaw had millions of users. This flaw was in an open-source library called AFNetworking used by thousands of apps for iOS and Mac devices. This library allowed the devices to communicate with web services.
The snooping flaw disabled the validation of digital certificates presented by servers when establishing secure HTTPS connections. When the fake certificates are presented, attackers can be in position to intercept encrypted traffic between the affected applications and HTTPS servers. With the data intercepted, the attackers could then decrypt and modify the data by giving the apps a fake certificate.
Researchers says it’s hard to determine how much this attack impacts the iOS realm because the vulnerability only affected apps that uses AFNetworking 2.5.1 that was released February 9 and even out of those using that library, only apps that uses the library’s SSL/TLS function. This vulnerability has been patched with AFNetworkign 2.5.2 released on March 26. Some of the apps believed to have been vulnerable during this attack were from major companies like Yahoo, Microsoft, Uber, Citrix and others. Some of these apps have been patched, but others are still vulnerable according to SourceDNA. The company did create a website to tell you if your apps are vulnerable.
SOURCE: PC World