Many iOS apps from South African companies who deal with sensitive information are vulnerable to Man-in-the-Middle (MitM) attacks, according to SourceDNA’s Searchlight service.
The security flaw comes courtesy of the AFNetworking library for iOS and Mac OS X, which was recently updated to address another vulnerability related to Secure Sockets Layer (SSL) connections.
After it was patched to deal with the flaws discovered in version 2.5.1, an old bug made its way into AFNetworking version 2.5.2 which lets would-be hackers intercept data or hijack the SSL session between the app and the Internet.
The new exploit uses the fact that SSL domain name validation in AFNetworking is off by default, which means that all the attacker needs is a valid SSL certificate.
Domain name validation would only be enabled if the developer turned on certificate pinning, but SourceDNA said few developers are using this feature.
SensePost, an information security firm headquartered in South Africa, previously warned that developers should use certificate pinning to protect against MitM attacks.
After being notified of the regression, the AFNetworking developer released version 2.5.3, but SourceDNA said that many apps remain vulnerable.
It added that its online service, Searchlight, was updated to show which apps remain vulnerable.
South African financial, social apps vulnerable
SourceDNA’s site suggests that a number of locally-developed applications are vulnerable.
Among the apps listed as affected by the security flaw are:
- Absa Homeowner
- BitX Wallet
- Discovery HealthID
- DStv Now
- Standard Bank App
- Standard Bank Mobile Banking
- Ster-Kinekor Theatres
SnapScan and Zapper said their apps were incorrectly flagged.
SnapScan boss Kobus Ehlers said their app is secure and that it was not affected by the first or second flaw found in AFNetworking.
“Although we do not have detailed insight into [SourceDNA’s] detection mechanisms, we can confirm that we are not using either of the affected versions of this package (2.5.1 or 2.5.2),” Ehlers said.
Absa provided similar feedback, saying that it regularly conducts thorough technical tests on its apps, including the Homeowner app.
Like SnapScan, the Homeowner app does not version 2.5.1 or 2.5.2 of AFNetworking, Absa said.
Zapper said it does use AFNetworking in their stack, but added that it is not affected as it uses alternative patterns to manage encrypted communication.
“We update our application regularly and have applied the updated fix to our version of the AFNetworking already queued for release pending approval from the Apple App store,” said Zapper head Derek Wiggill.
Other companies confirmed they are aware of the issue, and are either working on it or have already submitted a fix.
Spokespeople for 22seven and BitX said they have already submitted new versions of their apps and are waiting for approval from Apple.
Zomato said it will be submitting an updated build of its app within 48 hours.
Standard Bank said that the need for a one-time PIN to perform transactions mitigates some of the risk posed by the bug in AFNetworking, but added that it will be submitting a version of its app that uses certificate pinning to Apple.
Discovery, DStv, and Ster-Kinekor said they were working on a response, while Takealot, and Mxit did not respond by the time of publication.
What can you do?
It is not only South African apps that were affected by this issue.
Other apps affected included Uber, Snapchat, Viber, Mailbox (by Dropbox), Microsoft OneDrive, and “secure” messaging service Telegram.
SourceDNA’s report only lists version 2.9.4 of Telegram, though, while version 2.12 is available in the App Store.
WhatsApp was not listed as affected.
Though there is a small chance that a hacker would use such a targeted attack to randomly harvest private data, users are advised not to use any apps left vulnerable by this bug on public Wi-Fi hotspots.
Updates: Absa provided comment following the publication of this article, saying that its homeowner app was not affected. Standard Bank has also given feedback, saying that it will be submitting a version of its banking app that includes certificate pinning.
Thanks to Gerd Naschenweng for the tip.