SourceDNA has reported that there is a new security vulnerability in the AFNetworking library for iOS and Mac OS X which has left over 25,000 apps exposed to man-in-the-middle (MitM) attacks.
This vulnerability allows hackers to intercept personal or personally identifying data, or let them hijack Secure Sockets Layer (SSL) session between the app and the Internet.
According to SourceDNA, an old bug crept into the 2.5.2 version of AFNetworking after another SSL-related security flaw was reported in version 2.5.1 which was said to affect 1,500 apps.
The new exploit uses the fact that SSL domain name validation is off by default, which means that all the would-be attacker needs is a valid SSL certificate.
Domain name validation was only enabled if the developer had turned on certificate pinning, but SourceDNA said few developers are using this feature.
SensePost, an information security firm headquartered in South Africa, warned that developers should use certificate pinning to protect against MitM attacks.
“We were surprised to see this bug in 2.5.2, and doubly so when we realised this issue had already been reported and fixed the day after the previous SSL flaw was fixed, but no one seemed to have noticed that it had been left out of the 2.5.2 release,” said SourceDNA.
After notifying the developer, an updated version of AFNetworking (2.5.3) was released, but SourceDNA said many apps still remain vulnerable.
It said its Searchlight service has been updated to show which apps are vulnerable to the new security flaw.