An AFNetworking SSL flaw in at least 25,000 iOS applications is leaving iPhone and iPad users open to man-in-the-middle attacks, according to researchers at SourceDNA.
The security firm reported uncovering the flaw while examining the AFNetworking SSL 2.5.2 version's code following the discovery of a similar flaw in version 2.5.2 that left 1,500 apps vulnerable.
"We began auditing the AFNetworking SSL code after the previous vulnerability was announced. Version 2.5.1 would accept self-signed certificates," read the SourceDNA threat advisory.
"A few weeks ago, we found that version 2.5.2 did fix this issue, but there was another flaw nearby in the same code."
The bug could reportedly be exploited by hackers using bogus SSL certificates to mount man-in-the middle attacks on devices with the apps installed.
"Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using," explained SourceDNA.
"This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the internet.
"Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50."
'Coffee shop attackers' target devices connecting to weak, insecure networks, such as public WiFi hotspots. It is currently unclear whether the flaw is being targeted by hackers.
SoureDNA said it had contacted AFNetworking about the bug and an updated 2.5.3 version has been released that reportedly fixes the problem, but AFNetworking users will have to install the update.
"If you are using AFNetworking (any version) you must upgrade to 2.5.3. Also, you should enable public key or certificate-based pinning as an extra defence. Neither of these game-over SSL bugs affected apps using pinning," said the firm.
Poor patching practices are an ongoing problem in the developer community. McAfee reported that many "popular" applications are still missing critical Heartbleed SSL patches in its McAfee Labs Threats Report: February 2015 research paper.
IBM's X-Force 2015 research report in March said that patching practices allowed hackers to compromise at least one billion records containing personally identifiable information in 2014.
SourceDNA listed the new vulnerability as proof that developers must take security more seriously.
"This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores," read the advisory.
"Developers need to track the code in their apps to be sure patches aren't lost along the way. Our Searchlight service can help you do just that, giving you immediate info on flaws that affect your apps."
SourceDNA has released a checker tool for developers concerned that their apps may be vulnerable, and has updated the Searchlight tool to show which apps are still vulnerable.
The news follows the discovery of several other critical flaws in popular mobile applications.
Researchers at Palo Alto Networks uncovered a flaw codenamed Android Installer Hijacking in Google's mobile operating system that left 50 percent of users open to malware infection.
However, some experts have questioned the importance of the vulnerabilities, despite their potential for harm.
F-Secure security advisor Sean Sullivan told V3 while the issue is serious, most businesses should have defense policies in place to protect themselves.
"If you're using WiFi in a public space, a hacker can potentially sniff and decrypt the traffic with easy to get certificates," he said.
"Not good if you're using a banking app. Also not good if you use something like Mail by Dropbox (which comes up in SourceDNA's database).
"Attacks from coffee shops are rare - but possible. In any case, businesses should require their employees to use VPNs from any access point that the business doesn't directly control."
Recent data from Verizon supports Sullivan's argument. Verizon reported that a piddly 0.3 percent of malware infections on its network affect mobile devices in its Data Breach Investigations Report on 14 April.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition