{"id":6531,"date":"2017-02-06T22:30:31","date_gmt":"2017-02-07T06:30:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/06\/news-355\/"},"modified":"2017-02-06T22:30:31","modified_gmt":"2017-02-07T06:30:31","slug":"news-355","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/06\/news-355\/","title":{"rendered":"Dozens of iOS apps fail to secure users' data, vendor says"},"content":{"rendered":"

<\/p>\n

Credit to Author: Michael Kan | Date: Mon, 06 Feb 2017 22:14:00 -0800<\/strong><\/p>\n

Dozens of iOS apps that are supposed to be encrypting their users’ data don’t do it properly, according to a security vendor. <\/p>\n

Will Strafach, CEO of Sudo Security Group, said he found 76 iOS apps that are vulnerable to an attack that can intercept protected data. <\/p>\n

The developers of the apps have accidentally misconfigured the networking-related code so it will accept an invalid Transport Layer Security (TLS) certificate, Strafach claimed<\/a> in a Monday blog post. \u00a0\u00a0 <\/p>\n

TLS is used to secure an app\u2019s communication over an internet connection. Without it, a hacker can essentially eavesdrop over a network to spy on whatever data the app sends, such as login information. \u00a0 <\/p>\n

\u201cThis sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use,\u201d Strafach said. \u201cThis can be anywhere in public, or even within your home if an attacker can get within close range.\u201d <\/p>\n

Strafach discovered the vulnerability in the 76 apps by scanning them with his company-developed security service, verify.ly<\/a>, which he’s promoting. It flagged \u201chundreds of applications\u201d with a high likelihood of data interception. <\/p>\n

He\u2019s so far confirmed that these 76 apps possess the vulnerability. He did so by running them on an iPhone with iOS 10 and using a proxy to insert an invalid TLS certificate into the connection. <\/p>\n

Strafach declared that 43 of the apps were either a high or medium risk, because they risked exposing login information and authentication tokens. Some of them are from \u201cbanks, medical providers, and other developers of sensitive applications,\u201d he said. <\/p>\n

He’s not disclosing their names, to give them time to patch the problem. \u00a0\u00a0 <\/p>\n

The remaining 33 apps were deemed low risks because they revealed only partially sensitive data, such as email addresses. They include the free messaging service ooVoo, video uploaders to Snapchat and lesser-known music streaming services, among many others. <\/p>\n

In all, the 76 apps have 18 million downloads, according to app market tracker Apptopia, Strafach said. <\/p>\n

It\u2019ll be up to the app developers to fix the problem, but it involves changing only a few lines of code, says Strafach, who\u2019s been trying to contact the developers. <\/p>\n

He included some warnings for developers in the blog post. <\/p>\n

\u201cBe extremely careful when inserting network-related code and changing application behaviors,\u201d he wrote. \u201cMany issues like this arise from an application developer not fully understanding the code they\u2019ve borrowed from the web.\u201d <\/p>\n

Users of affected apps can protect themselves by turning off Wi-Fi when in a public location, Strafach says. That will force the phone to use a cellular connection to the internet, making it much harder for any hacker to eavesdrop unless they use expensive and illegal equipment, Strafach said. <\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

Dozens of iOS apps that are supposed to be encrypting their users’ data don’t do it properly, according to a security vendor.<\/p>\n

Will Strafach, CEO of Sudo Security Group, said he found 76 iOS apps that are vulnerable to an attack that can intercept protected data.<\/p>\n

The developers of the apps have accidentally misconfigured the networking-related code so it will accept an invalid Transport Layer Security (TLS) certificate, Strafach claimed<\/a> in a Monday blog post. \u00a0\u00a0<\/p>\n

TLS is used to secure an app\u2019s communication over an internet connection. Without it, a hacker can essentially eavesdrop over a network to spy on whatever data the app sends, such as login information. \u00a0<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11077,714],"class_list":["post-6531","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-apple-ios","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6531"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6531\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6531"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}