Many popular iPhone apps are vulnerable to attacks that can steal encrypted sensitive data.
On Monday, Sudo Security Group CEO Will Strafach revealed on a blog post that buggy apps could be downloaded to 18 million devices. Of the 33 applications whose names are publicly disclosed, "Uconnect Access" can be exploited by an attacker to interfere with the user's vehicle. 'Huawei HiLink' can leak device data and 'Cheetah Browser' can leak user's geographical location data and key input. In more than 40 apps in the middle of a man-in-the-middle attack or in a high-risk class, an attacker can intercept financial or health care credentials. Information about the app will be covered by developers for a couple of months.
Strafach says users are safer when they are not using Wi-Fi, "because the vulnerability still exists while using cellular connections, but cellular blocking is more difficult and expensive, requires more hardware, is visible and illegal in the US" "He said.
Apps with this bug have the problem that, in poorly implemented networking code, an app can accept any certificate to establish an encrypted connection. An attacker near a vulnerable device can trick an app into accepting its own certificate, extracting all the data it sends and receives. To make matters worse, Apple's app transfer security feature does not block the attacker's certificate because it has a valid encrypted connection.
Strafach explained that Apple can not help solve this problem. By blocking security flaws, iPhone and iPad applications can be vulnerable because applications ignore certificate pinning, a security feature, using fake certificates, explaining that it is up to the app developer to determine if an app developer is vulnerable.