14 DAY TRIAL // A bug in an older version of a widely used networking library for iOS and OS X, present in products from prominent developers, can be exploited to decrypt the secure traffic from an iOS app, allowing an attacker access to sensitive data like credentials and banking info.
Build 2.5.1 of open source AFNetworking is affected by a security vulnerability that disables SSL (secure sockets layer) certificate validation, permitting someone in a position to intercept the connection (man-in-the-middle attack) to read the encrypted information in plain text.
Almost 1,000 iOS apps are vulnerable
The security flaw was patched in late March, but not all developers integrated the updated code into their apps, leaving their users exposed, especially those still employing outdated versions.
In a research from SourceDNA on Monday, the analytics service created fingerprints for tracking down the free apps that contain AFNetworking 2.5.1 and discovered that about 1,000 products did not move to the succeeding, safer version of the library.
The faulty release of AFNetworking is included in software from major developers, such as Yahoo (Yahoo Finance 2.3.2) and Microsoft (OneDrive 5.1).
Their apps, however, have been updated to new versions that rely on a secure variant of the networking library, so users should simply install the latest revision to be on the safe side.
On the other hand, there are other developers who have not made the switch and whose users may become victims. Two of them are Alibaba.com (build 3.3.2 and 3.3.3) and Citrix (OpenVoice Audio Conferencing 1.4.0 and 1.5.1).
Check if apps are vulnerable or not
To help both users and developers identify the hazardous products, SourceDNA released a service that checks if the apps from a developer are vulnerable.
According to SourceDNA, the number of users impacted amounts to millions. Developers have started to address the risk and released updates for their products, so clients should be able to install the new, risk-free revisions.