Verify.ly, a service that scans the binary code of an iOS app to detect security issues pertaining to the app has disclosed that 76 iOS apps with a combined 18 million downloads are unprotected against silent interception of TLS-protected data.
During the test, all the 76 apps including several VPN apps, browser apps as well as the popular Vice News app were found to be vulnerable to a silent man-in-the-middle attack which puts user data at risk.
The security breach allows an attacker to easily intercept and manipulate user data.
“Our system flagged hundreds of applications as having a high likelihood of vulnerability to data interception. I was able to fully confirm (app vulnerabilities) using a live iPhone running iOS 10 and a ‘malicious’ proxy to insert an invalid TLS certificate into the connection for testing,” wrote Will Strafach, Founder of Verify.ly.
The report found out that 33 of these vulnerable iOS apps were in the low-risk group, 24 in the medium risk group and 19 at high risk.
While the low and medium risk group of apps weren’t vulnerable to interception of confidential user data that could be damaging, 19 of the high-risk apps were deemed to be at a high vulnerability of relaying financial or medical service login credentials.
Most would argue that such attacks need your device to be on the same internet connection — usually a public Wi-Fi connection — as that of the attacker, but that’s not entirely true.
“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.” Strafach adds.
“Many issues like this arise from an application developer not fully understanding the code they’ve borrowed from the web,” he added.
The report also points out that in order to keep confidential information secure, switching off your Wi-Fi and using cellular data while logging into your bank account to perform a transaction or checking your balance is recommended as cellular internet connections are relatively harder to hack.