Security flaws continue to plague popular Apple products with security researchers and bloggers all a buzz over a trio of issues
On Monday (20th April) Ars Technica reported that around 1,500 iPhone and iPad applications contain an HTTPS-crippling vulnerability that makes it easy for attackers to intercept encrypted passwords, bank-account numbers, and other highly sensitive information, according to research by SourceDNA.
The flaw lies within the AFNetworking library software that developers use when developing or upgrading their applications. It was fixed three weeks ago with the release of a new version, however at least 1,500 iOS apps remain vulnerable because some developers are still using a previous version. To be clear this issue relates to particular applications and not Apple’s iOS software.
What can users do?
SourceDNA have provided a search tool that allows users to find out if their apps are affected by this vulnerability. The recommendation is that you use this tool to check your apps, especially apps requiring encrypted passwords, bank-account numbers, and other highly sensitive information. If any of your apps are vulnerable, your safest course of action would be to delete the app now and wait to download it again, once you know the app developer has released a new version (without the vulnerability).
How to use the search tool
You will need to know the name of the company who developed your application and this can be found by searching for your app in Apple iTunes App Store. The developer will be noted on the top left under the apps name e.g. Media Applications Technologies Limited. Then enter the developers name into the search tool and click search. On the next screen you then have to chose the developers name and click on submit for the result (see images below).
There is some bad news for Mac users, despite updating your computer to the latest version (released last week) it looks like your computer is still vulnerable to the Rootpipe flaw. So if it wasn’t disappointing enough that it took Apple so long to released a fix for this flaw and that they have no plans to patch older, pre-Yosemite, versions of the operating system, it is now claimed that they’ve failed to actually fix the flaw.
In Graham Cluley’s blog earlier this week he say’s:
“All eyes now turn to Apple for a response, and – if you’re concerned about the vulnerability – it would make sense to take care over who you allow to use your computer.
Let’s all hope that Apple will fix the problem once and for all now, and – hey Apple! – how about providing some protection for users of older versions of OS X at the same time, eh?”
Graham Cluley advises of a vulnerability in iOS that could allow malicious hackers to use a small device, which tries to automatically capture any iOS device within range to get them to join a fake network, after which they could try to issue an attack that crashes the iOS devices.
This type of attack could be used at political events, busy airports or by protestors in financial hubs, however, it’s hoped that this would not happen as the researchers have responsibly alerted Apple to the risk and have not released enough details publicly, for the flaw to be exploited.
Users should not be unduly worried at this point, however, when a patch is released users would be wise to upgrade their iOS.
Key ‘take-away’ messages from this blog
Apple operating systems are no longer the low vulnerability risk that they used to be and the number of these types of vulnerabilities are on the increase (as indicated by the table below). Apple users need to be as vigilant and well informed about possible vulnerability threats as users of other operating systems.
Follow us on Twitter @CU_InfoSec for vulnerability news and updates.
Known iOS Vulnerabilities (by Year)
Source: Skycure analysis based of CVEdetails.com