The bug prevents the apps from correctly authenticating SSL certificates, opening the apps up to a number of man-in-the-middle attacks. While this app doesn’t affect the security of iOS itself, it could compromise user data transmitted through affected apps…
A Simple Bug That Breaks SSL
The bug in question is in the AFNetworking package, a popular open-source networking solution used in thousands of App Store apps. The bug is a simple logic error that stops the SSL check from actually taking place, returning all certificate checks as valid. This isn’t a massive security disaster like HeartBleed or ShellShock– but it is a problem if you use an app that contains the bug. Luckily, the bug existed for only about six weeks, added in 2.5.1, and fixed in 2.5.2. You might reasonably assume that is the end of the story.
Sadly, many developers do not actively keep their apps up to date with bug fixes, and there are a bunch of apps which are still using the broken version of AFNetworking, despite the availability of a patch. SourceDNA analyzed 20,000 apps which contain versions of the AFNetworking package, and determined that about 1,000 are still using the broken SSL check.
SourceDNA was able to perform this check by using analytics tools which make it possible to analyze the binary files of thousands of apps. Their technology lets them identify not just which libraries these apps were compiled with, but which versionsof those libraries. As it turns out, this is incredibly useful for identifying which apps may be impacted by known bugs and vulnerabilities. According to the paper released,
“SourceDNA created a differential fingerprint from them to find the vulnerable code. Think of this as a set of unique characteristics that were present or absent only in the targeted version and not any others before or after it. With this set of signatures, our analysis engine would tell us exactly which version of AFNetworking was in use in each app. “Many of the affected apps store and transmit user credit card data, including the Alibaba.com mobile app, KYBankAgent 3.0, and Revo Restaurant Point of Sale. Several million users have a vulnerable app installed on their iOS device – an astonishing amount of exposure from such a brief bug.
“5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.”
Assessing The Impact of the AFNetworking BugHow bad is this vulnerability? The bug allows attackers to fool apps into thinking that they’re communicating over a secure connection with a trusted server. If you’re using a vulnerable app, anyone on the same WiFi network as you can set up a man-in-the-middle attack and intercept info from the apps, including sensitive data like credit card information. This information could then be used to facilitate identity theft and other forms of fraud. Potentially, this kind of attack could be automated to target popular apps.
A number of companies have rushed out updates and fixes since the news broke, including Microsoft and Yahoo. Most of the apps, though, remain unpatched. To see if the apps you use are affected, you can use the SourceDNA search tool. If you discover that one of your apps is still vulnerable, the safest strategy is to delete it temporarily, and message the developers asking them to put out a patch as soon as possible.
SourceDNA is a clever tool, and this demonstrates that their technology is genuinely useful. Computer security is hard, and a tool that can automate the process of looking for unpatched bugs – with or without developer cooperation – is a huge win for user security. Without this kind of checking, this widespread bug would have persisted, probably for quite a long time. This kind of analysis enables mass public shaming that makes developers much more accountable, and it seems likely that SourceDNA will uncover further undetected and unsolved problems.
Is your iOS device affected by the AFNetworking bug? Are you excited by these new analytics tools? Let us know in the comments!