iOS apps affected by MiTM attack via networking library - check your apps

MagicDude4Eva · Apr 21, 2015

The advisory came out about a month ago, and since it has now become public, I will share this - http://www.naschenweng.info/2015/04/21/south-african-ios-apps-affected-security-flaw/

I suggest that you check your apps which use sensitive information via this link: http://searchlight.sourcedna.com/lookup and upgrade apps (or avoid using them until patched).

TL;DR: Only Uber seems to be affected and other apps have been patched. It does look like some local apps (Multichoice, Takealot etc) are using outdated libraries or have only recently updated. Interesting is that Uber for example downgraded to 2.5.0 instead of upgrading to the patched 2.5.2 version.

MagicDude4Eva · Apr 24, 2015

SourceDNA (http://sourcedna.com/blog/20150424/afnetworking-strikes-back.html) just confirmed that apps are affected by another flaw. I take back my previous comment that most SA apps are not vulnerable. A number of apps affected: Takealot, SBSA, Discovery, Ster-Kinekor, OLX, News24, Multichoice/Supersport, Snapscan, Autotrader and others:

akescpt · Apr 24, 2015

what must like happen now?

MagicDude4Eva · Apr 24, 2015

akescpt said:
what must like happen now?

I doubt that most app developers are aware of that their apps have issues. Remember, that the chances of a MiTM are low (except if you use the apps on a public network). I would check via the above URL what apps you use and which have an issue and then inform the developers. Until the apps have been fixed, I would avoid using them on an untrusted network/Wifi hotspot etc.

akescpt · Apr 24, 2015

MagicDude4Eva said:
I doubt that most app developers are aware of that their apps have issues. Remember, that the chances of a MiTM are low (except if you use the apps on a public network). I would check via the above URL what apps you use and which have an issue and then inform the developers. Until the apps have been fixed, I would avoid using them on an untrusted network/Wifi hotspot etc.

so home network is fine?

MagicDude4Eva · Apr 24, 2015

akescpt said:
so home network is fine?

As long as your Wifi router is secured and not hacked

Have a look at these articles: http://www.labnol.org/internet/secure-your-wireless-wifi-network/10549/ & http://www.cnet.com/how-to/home-networking-explained-part-6-keep-your-network-secure/ & http://www.wikihow.com/Secure-Your-Wireless-Home-Network

Kevin Lancaster · Apr 24, 2015

Massive security flaw leaves iOS apps open to hacking

Massive security flaw leaves iOS apps open to hacking

A second security vulnerability discovered in the popular AFNetworking library has left over 25,000 iOS apps open to man-in-the-middle attacks.

sajunky · Apr 24, 2015

Telegram LLC: Version: 2.9.4
What a shame... a month ago upgraded to 2.11.

Adobe: Reader, etc.. still bad!
Microsoft: OneDrive - important!

MagicDude4Eva · Apr 24, 2015

So based on a quick check of local apps, the exposure is - http://www.naschenweng.info/2015/04/24/south-african-ios-apps-vulnerable/ :
- 22seven
- Autotrader
- Checkers
- Discovery
- Groupon
- Multichoice
- News24
- Old Mutual
- OLX
- Shoprite
- Snapscan
- Standard Bank
- Ster-Kinekor
- Takealot

Jan · Apr 24, 2015

Got comment from a few of the companies whose apps are affected. Article here: SA financial, messaging apps open to hacking.

kianm · Apr 25, 2015

So development is all mostly about patching holes. I guess it's also a bit of a challenge to introduce new features because in the process you introduce new holes.

zippy · Apr 25, 2015

kianm said:
So development is all mostly about patching holes. I guess it's also a bit of a challenge to introduce new features because in the process you introduce new holes.

Its an arms race. Those who get caught out are the ones who get complacent. iOS and Android are always going to be targets because of their footprint out there. The biggest risk is a developer/company who thinks their OS/Platform is immune to vulnerabilities and attack.

What people need to accept is that with enough effort, any platform can be hacked. If hackers had the resources of govt's they would be unstoppable. The ultimate protection is to not be connected to the internet at all. Of course this is extreme and not practical in obvious situations. But developers can follow some basics. The first and you would think the most obvious is keep your system updated with the latest security patches.

Just about every time you read about something like this, its a previous version which is vulnerable. And its staggering to see who doesn't keep the systems, particularly the security and network libraries, updated.

Jan · Apr 25, 2015

Updated the article with comment from Absa and Standard Bank.

Tahir Ally · Apr 25, 2015

Security should be in the DNA when creating something and not just a feature sprinkled later.

sajunky · Apr 25, 2015

zippy said:
If hackers had the resources of govt's they would be unstoppable.

Actually they have resources from govt's.

MagicDude4Eva · Apr 25, 2015

You will be equally surprised how many apps have other security issues outside of SSL.

There are a number of local apps which assume that you"can not see the URL" or which have an implicit trust relationship with their backend systems just because a service is called via an app.

Throw in Charles Proxy and a bunch of other tools and you will not do your shopping or banking on a mobile device once you see what's going on.

Never mind the data being collected and sent to 3rd parties.

Creag · Apr 26, 2015

MagicDude4Eva said:
You will be equally surprised how many apps have other security issues outside of SSL.

There are a number of local apps which assume that you"can not see the URL" or which have an implicit trust relationship with their backend systems just because a service is called via an app.

Throw in Charles Proxy and a bunch of other tools and you will not do your shopping or banking on a mobile device once you see what's going on.

Never mind the data being collected and sent to 3rd parties.

Thanks for the thread started, the heads up and information. I have to say it is the practice of passing on my data to 3rd parties that really grates me. It irritates me that use them in good faith and then they expose me and my preferences which were thought to be private to the highest bidder. Swines!

MagicDude4Eva · Apr 26, 2015

McT said:
Thanks for the thread started, the heads up and information. I have to say it is the practice of passing on my data to 3rd parties that really grates me. It irritates me that use them in good faith and then they expose me and my preferences which were thought to be private to the highest bidder. Swines!

With POPI they are not allowed to do this without your consent, but most companies have horrible T&Cs which give them blanket permission to do anything with your data.

Almost all e-commerce sites do this and they will also share your purchasing history with 3rd parties in exchange for mailing lists or for profit. It is not uncommon for some to pay more than 20 bucks per contact.

tRoN · Apr 26, 2015

Eish. Cybercrime versus carjacking

Join the MyBroadband community

Get started

iOS apps affected by MiTM attack via networking library - check your apps

Banned

Banned

Honorary Master

Banned

Honorary Master

Banned

MyBroadband Editor

Honorary Master

Banned

Who's the Boss?

Honorary Master

Honorary Master

Who's the Boss?

Senior Member

Honorary Master

Banned

The Boar's Rock

Banned

Executive Member