ras-slava - Fotolia

What made iOS apps handling sensitive data vulnerable to MitM attacks?

A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains how developers can prevent this.

Approximately 76 iOS apps, with purposes ranging from mobile banking to handling medical information, were found to be vulnerable to man-in-the-middle (MitM) attacks. Nineteen of these apps are considered high-risk, as sensitive information can be stolen by local network attackers. What made these iOS apps vulnerable to MitM attacks, and how can developers prevent such future instances?

Will Strafach, a mobile security expert and CEO of Sudo Security Group, found these 76 popular iOS applications to be vulnerable to silent MitM attacks and the manipulation of data in motion, which should be protected by transport layer security (TLS). The discovery came during the development of the web-based mobile app analysis service Verify.ly, which enables users to scan the binary code of an iOS application and generate a report detailing any common security issues detected.

According to Apptopia estimates, more than 18 million users have downloaded vulnerable versions of these apps, 19 of which enable an attacker to intercept financial or medical service login credentials and session authentication tokens for logged in users.

The MitM attacks can be launched by any hacker within Wi-Fi range of a victim's device while it is in use. It only requires a slightly modified mobile phone or custom hardware, depending on the range and capabilities required.

Strafach used an iPhone running iOS 10 and a malicious proxy to insert an invalid TLS certificate into connections during testing. He also pointed out that the App Transport Security (ATS) feature of iOS does not and cannot block this vulnerability from being exploited.

ATS is a feature that Apple introduced in iOS 9. When it's enabled, it forces an app to connect to web services over an HTTPS connection rather than HTTP. Its use has been mandatory since Jan. 1, 2017 for all developers who want to submit their apps to the App Store.

The problem lies with how developers implement networking-related code within their iOS applications. Strafach doesn't go into detail about the particular misconfigurations he found, but this puts the onus solely on app developers to ensure their apps implement ATS correctly.

Many software vulnerabilities, like those discovered by Strafach, occur because developers don't read the documentation for the frameworks they use to build their apps. They also don't fully understand the code they've cut and pasted from examples on the internet, and are under too much time pressure to be able to fully test the apps and ensure they're secure before releasing them.

A common situation that leads to weaknesses in authentication, encryption and other security controls is that developers override or bypass default functionality, such as TLS validation. This is often done to speed up development times, but developers then forget to restore the secure settings or to remove code used for internal testing before releasing the app to the public.

During development, any changes made to override the default functionality must be documented and flagged for removal prior to release. Any code reused from the internet should only be added to a project if its purpose is fully understood; it should also be documented. Any code or settings that bypass security checks should be removed once the app reaches the alpha phase of development, so the security of the app can be fully tested well before its final release.

While this specific vulnerability can be exploited for MitM attacks over both Wi-Fi and cellular connections, intercepting a cellular connection is far more difficult, requires expensive hardware and is far easier to detect. Therefore, users who are concerned about the security of any apps on their smartphone that transmit sensitive data, such as banking or medical apps, should turn off Wi-Fi and only use a cellular data connection when using them.

Next Steps

Find out how a Slack vulnerability exposed user authentication tokens and private data

Learn how Fruitfly Mac malware's decades-old code escaped detection

Read how insecure OAuth implementations in mobile apps could be putting you at risk

Dig Deeper on Application and platform security