Industry News Mobile & Gadgets

76 popular iPhone apps found wide open to data interception attacks

When people ask me which smartphone they should buy from the security point of view, I invariably advise them to get an iPhone.

The malware attacks that have been seen against iOS devices have typically been sophisticated state-sponsored campaigns, focusing on high-risk targets. Apple’s tight hold on iOS security may not have won it universal love, but when compared to the significant amount of malware and adware seen being written for Android devices it’s clear that there’s no contest.

Furthermore, there is no doubt that Apple has done a much better job of keeping its iPhone and iPad customers patched with the latest security operating system updates than many of the Android manufacturers – some of whom have left their users in the lurch with badly out-of-date and at-risk software.

But malware and operating system vulnerabilities aren’t the only considerations.

The truth is that the most significant threat is probably not your chances of encountering malware, or whether your OS is properly patched, but rather the third-party apps that you have installed on your device.

After all, you don’t know what your apps are *really* doing do you, or how well they’re keeping your sensitive information safe and secure?

New research has discovered scores of buggy iOS apps that do a lousy job of securing users’ information, and could be making life all too easy for hackers keen to intercept and steal data.

Security researcher Will Strafach says that he was able to identify 76 popular apps in the official App Store that failed to make use of the Transport Layer Security (TLS) protocol, and allowed a malicious attacker to silently perform a man-in-the-middle (MiTM) attack, stealing or manipulating data as it is sent and received from the mobile device.

“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.”

“There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.”

Strafach, who works for Sudo Security Group, reports that the apps have received a combined total of more than 18 million downloads.

On Strafach’s list are a number of apps which he classifies as “low risk” despite it being possible to intercept their data. These apps, some of which can leak usernames and passwords, geolocation data and even keystrokes, include:

  • ooVoo – Free Video Call, Text and Voice
  • VivaVideo – Free Video Editor & Photo Movie Maker
  • Snap Upload for Snapchat – Send Photos & Videos
  • Uconnect Access
  • Volify – Free Online Music Streamer & MP3 player
  • Uploader Free for Snapchat – Quick Upload Snap from Camera Roll
  • Epic! – Unlimited Books for Kids
  • Mico – Chat, Meet New People
  • Safe Up for Snapchat – Quick Upload photos and videos from your camera roll
  • Tencent Cloud
  • Uploader for Snapchat – Quick Upload Pics & Videos to Snapchat
  • Huawei HiLink (Mobile WiFi)
  • VICE News
  • Trading 212 Forex & Stocks
  • 途牛旅游-订机票酒店火车票汽车票特价旅行
  • CashApp – Cash Rewards App
  • FreeMyApps – Free Cash, Money & Gift Card
  • 1000 Friends for Snapchat – Get More Friends & Followers for Snapchat
  • YeeCall Messenger-Free Video Call & Conference Call
  • InstaRepost – Repost Videos & Photos for Instagram Free Whiz App
  • Loops Live
  • Privat24
  • Private Browser – Anonymous VPN Proxy Browser
  • Cheetah Browser
  • AMAN Bank
  • FirstBank PR Mobile Banking
  • vpn free – OvpnSpider for vpngate
  • Gift Saga – Free Gift Card & Cash Rewards
  • Vpn One Click Professional
  • AutoLotto: Powerball, MegaMillions Lottery Tickets
  • Foscam IP Camera Viewer by OWLR for Foscam IP Cams
  • Code Scanner by ScanLife: QR and Barcode Reader

However, it appears that these “low risk” apps discovered by Will Strafach are just the tip of the iceberg.

The researcher has declined to post details of the remaining apps that are considered to be at “medium” or “high risk”, as he says he is in the process of reaching out to affected banks, medical providers and other developers to get the vulnerable apps fixed – subject to a two- or three-month responsible disclosure period.

If you’re concerned, one thing to remember is that your chances of having data intercepted are greatly reduced if you use a cellular connection (which requires a hacker to deploy specialist expensive hardware) rather than Wi-Fi.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *

  • I'm using Appologic's 'AirBeam' which is a brilliant wifi video streaming app, similar to a baby monitor app. It can broadcast live feed between iOS devices across a LAN directly via a router without using the internet.
    It also has an option for broadcasting over the internet using a router's port mapping function. It recommends that this should be done only if the app is password protected but it doesn't insist. That seems a tad reckless to me.

  • Graham –

    Thanks for communicating the importance for IoT security. And yes, we are well-aware of the TLS/SSL issue.

    I am the CEO of OWLR and wanted to let you (and your readers) know, we already support TLS (HTTPS) on our Android apps where the cameras allow it.

    Due to the limitations of the cameras, certificate pinning is not available — so while the data being transmitted is encrypted, it MAY be subject to MITM.

    We will be rolling out this TLS (HTTPS) function to our iOS apps in the near future and will announce it to our users broadly so they are made aware.

    Unfortunately, we are at the mercy of the camera manufacturers since their firmware determines if their devices will accept a certificate of our app’s making.

    Even as you distributed this article, we were on the phone with one of these manufacturers regarding this very issue.

    Thank you for the increased visibility and we look forward to sharing our results with you and your readers.

  • With the constant state of cyber attacks as many end users don't really know how third party apps are keeping sensitive data safe when security officials claim developers of the apps fail to abide to TSL protocol allowing hackers to perform a MiTM attack. After officials flagged dozens of apps in the apple store as low risk of a data breech as others are like the ice berg that sank the titanic when dangers were under the waves. As end users worried of a cyber attack would be urged to consider using a cellular connection rather than WIFI as hackers would have to deploy costly equipment just to intercept data being transferred.