{"id":125100,"date":"2015-04-24T17:14:05","date_gmt":"2015-04-24T15:14:05","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=125100"},"modified":"2015-04-25T10:23:27","modified_gmt":"2015-04-25T08:23:27","slug":"sa-financial-messaging-apps-open-to-hacking","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/125100-sa-financial-messaging-apps-open-to-hacking.html","title":{"rendered":"SA financial, messaging apps open to hacking"},"content":{"rendered":"<p>Many iOS apps from South African companies who deal with sensitive information are vulnerable to Man-in-the-Middle (MitM) attacks, according to SourceDNA\u2019s Searchlight service.<\/p>\n<p>The security flaw comes courtesy of the AFNetworking library for iOS and Mac OS X, which was recently updated to address another vulnerability related to Secure Sockets Layer (SSL) connections.<\/p>\n<p>After it was patched to deal with the flaws discovered in version 2.5.1, an old bug made its way into AFNetworking version 2.5.2 which lets would-be hackers intercept data or hijack the SSL session between the app and the Internet.<\/p>\n<p>The new exploit uses the fact that SSL domain name validation in AFNetworking is off by default, which means that all the attacker needs is a valid SSL certificate.<\/p>\n<p>Domain name validation would only be enabled if the developer turned on certificate pinning, but SourceDNA said few developers are using this feature.<\/p>\n<p>SensePost, an information security firm headquartered in South Africa, previously warned that <a title=\"Wi-Fi hacking quadcopter from SA security firm\" href=\"http:\/\/mybroadband.co.za\/news\/security\/99600-wi-fi-hacking-quadcopter-from-sa-security-firm.html\"><strong>developers should use certificate pinning to protect against MitM attacks<\/strong><\/a>.<\/p>\n<p>After being notified of the regression, the AFNetworking developer released version 2.5.3, but SourceDNA said that many apps remain vulnerable.<\/p>\n<p>It added that its online service, <strong><a href=\"http:\/\/sourcedna.com\/blog\/20150424\/afnetworking-strikes-back.html\">Searchlight<\/a><\/strong>, was\u00a0updated to show which apps remain vulnerable.<\/p>\n<h3 class=\"my-4\">South African financial, social apps vulnerable<\/h3>\n<p>SourceDNA\u2019s site suggests that a number of locally-developed applications are vulnerable.<\/p>\n<p>Among the apps listed as affected by the security flaw are:<\/p>\n<ul>\n<li>22seven<\/li>\n<li>Absa Homeowner<\/li>\n<li>BitX Wallet<\/li>\n<li>Discovery<\/li>\n<li>Discovery HealthID<\/li>\n<li>DStv Now<\/li>\n<li>Mxit<\/li>\n<li>SnapScan<\/li>\n<li>Standard Bank App<\/li>\n<li>Standard Bank Mobile Banking<\/li>\n<li>Ster-Kinekor Theatres<\/li>\n<li>SuperSport<\/li>\n<li>Takealot.com<\/li>\n<li>Zapper<\/li>\n<li>Zomato<\/li>\n<\/ul>\n<p>SnapScan and Zapper said their apps were incorrectly flagged.<\/p>\n<div id=\"attachment_123750\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/SnapScan-SnapBeacons.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-123750\" class=\"size-full wp-image-123750\" src=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/SnapScan-SnapBeacons.jpg\" alt=\"SnapScan SnapBeacons\" width=\"600\" height=\"400\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/SnapScan-SnapBeacons.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/SnapScan-SnapBeacons-250x166.jpg 250w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><p id=\"caption-attachment-123750\" class=\"wp-caption-text\">SnapScan<\/p><\/div>\n<p>SnapScan boss Kobus Ehlers said their app is secure and that it was not affected by the first or second flaw found in AFNetworking.<\/p>\n<p>\u201cAlthough we do not have detailed insight into [SourceDNA\u2019s] detection mechanisms, we can confirm that we are not using either of the affected versions of this package (2.5.1 or 2.5.2),\u201d Ehlers said.<\/p>\n<div id=\"attachment_100144\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/04\/Absa-Apple.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-100144\" class=\"size-full wp-image-100144\" src=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/04\/Absa-Apple.png\" alt=\"Absa Apple\" width=\"600\" height=\"400\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/04\/Absa-Apple.png 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/04\/Absa-Apple-250x166.png 250w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><p id=\"caption-attachment-100144\" class=\"wp-caption-text\">Absa<\/p><\/div>\n<p>Absa provided similar feedback, saying that it regularly conducts thorough technical tests on its apps, including the Homeowner app.<\/p>\n<p>Like SnapScan, the Homeowner app does not version 2.5.1 or 2.5.2 of AFNetworking, Absa said.<\/p>\n<div id=\"attachment_125112\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/Zapper.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-125112\" class=\"wp-image-125112 size-full\" title=\"Zapper\" src=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/Zapper.jpg\" alt=\"Zapper\" width=\"600\" height=\"400\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/Zapper.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2015\/04\/Zapper-250x166.jpg 250w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><p id=\"caption-attachment-125112\" class=\"wp-caption-text\">Zapper<\/p><\/div>\n<p>Zapper said it\u00a0does use AFNetworking in their stack, but added that it\u00a0is\u00a0not affected as\u00a0it\u00a0uses alternative patterns to manage encrypted communication.<\/p>\n<p>\u201cWe update our application regularly and have applied the updated fix to our version of the AFNetworking already queued for release pending approval from the Apple App store,\u201d said Zapper head Derek Wiggill.<\/p>\n<p>Other companies confirmed they are aware of the issue, and are either working on it or have already submitted a fix.<\/p>\n<p>Spokespeople for <strong>22seven<\/strong> and <strong>BitX<\/strong> said they have already submitted new versions of their apps and are waiting for approval from Apple.<\/p>\n<p><strong>Zomato<\/strong> said it will be submitting an updated build of its app within 48 hours.<\/p>\n<p><strong>Standard Bank<\/strong> said that the need for a one-time PIN to perform transactions\u00a0mitigates some of the risk posed by the bug in AFNetworking, but added that it\u00a0will be submitting a version of its app that uses certificate pinning to Apple.<\/p>\n<p>Discovery, DStv, and Ster-Kinekor said\u00a0they\u00a0were working on a response, while Takealot, and Mxit did not respond by the time of publication.<\/p>\n<h3 class=\"my-4\">What can you do?<\/h3>\n<p>It is not only South African apps that were affected by this issue.<\/p>\n<p>Other apps affected included Uber, Snapchat, Viber, Mailbox (by Dropbox), Microsoft OneDrive, and\u00a0&#8220;secure&#8221;\u00a0messaging service Telegram.<\/p>\n<p>SourceDNA&#8217;s report only lists version 2.9.4 of Telegram, though, while version 2.12 is available in the App Store.<\/p>\n<p>WhatsApp was not listed as affected.<\/p>\n<p>Though there is a small chance that a hacker would use such a targeted attack to randomly harvest private data, users\u00a0are advised not to use any apps left vulnerable by this bug on public Wi-Fi hotspots.<\/p>\n<p><strong>Updates:<\/strong> Absa provided comment following the publication of this article, saying that its homeowner app was not affected. Standard Bank has also\u00a0given feedback, saying that it\u00a0will be submitting a version of its banking app that includes certificate pinning.<\/p>\n<p>Thanks to Gerd Naschenweng for the tip.<\/p>\n<h3 id=\"related\">More information security news<\/h3>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/125078-massive-security-flaw-leaves-ios-apps-open-to-hacking.html\"><strong>Massive security flaw leaves iOS apps open to hacking<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/99600-wi-fi-hacking-quadcopter-from-sa-security-firm.html\"><strong>Wi-Fi hacking quadcopter from SA security firm<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/119694-how-techies-hackers-swiped-sa-tax-money.html\"><strong>How techies, hackers swiped SA tax money<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/119604-sa-government-pcs-spied-on.html\"><strong>SA government PCs spied on<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/119558-signal-jamming-probe-tabled.html\"><strong>Signal jamming probe tabled<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A wide-reaching security vulnerability has left a number of South African financial and messaging iOS apps vulnerable to man-in-the-middle attacks.<\/p>\n","protected":false},"author":15,"featured_media":84713,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[8417,30050,30036,30052,30062,15844,30054,27627,35,691,29708,2222,20787,30048,21139,30056,30058,30060,3516,4566,25909,28502],"class_list":["post-125100","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-22seven","tag-absa-homeowner","tag-afnetworking","tag-bitx-wallet","tag-derek-wiggill","tag-discovery","tag-discovery-healthid","tag-dstv-now","tag-headline","tag-ios","tag-kobus-ehlers","tag-mxit","tag-secure-socket-layer-ssl","tag-securedna","tag-snapscan","tag-standard-bank-app","tag-standard-bank-mobile-banking","tag-ster-kinekor-theatres","tag-supersport","tag-takealot-com","tag-zapper","tag-zomato"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/125100"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=125100"}],"version-history":[{"count":2,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/125100\/revisions"}],"predecessor-version":[{"id":125104,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/125100\/revisions\/125104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/84713"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=125100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=125100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=125100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}