3 min read

76 popular iPhone apps found wide open to data interception attacks

Graham CLULEY

February 07, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
76 popular iPhone apps found wide open to data interception attacks

When people ask me which smartphone they should buy from the security point of view, I invariably advise them to get an iPhone.

The malware attacks that have been seen against iOS devices have typically been sophisticated state-sponsored campaigns, focusing on high-risk targets. Apple’s tight hold on iOS security may not have won it universal love, but when compared to the significant amount of malware and adware seen being written for Android devices it’s clear that there’s no contest.

Furthermore, there is no doubt that Apple has done a much better job of keeping its iPhone and iPad customers patched with the latest security operating system updates than many of the Android manufacturers – some of whom have left their users in the lurch with badly out-of-date and at-risk software.

But malware and operating system vulnerabilities aren’t the only considerations.

The truth is that the most significant threat is probably not your chances of encountering malware, or whether your OS is properly patched, but rather the third-party apps that you have installed on your device.

After all, you don’t know what your apps are *really* doing do you, or how well they’re keeping your sensitive information safe and secure?

New research has discovered scores of buggy iOS apps that do a lousy job of securing users’ information, and could be making life all too easy for hackers keen to intercept and steal data.

Security researcher Will Strafach says that he was able to identify 76 popular apps in the official App Store that failed to make use of the Transport Layer Security (TLS) protocol, and allowed a malicious attacker to silently perform a man-in-the-middle (MiTM) attack, stealing or manipulating data as it is sent and received from the mobile device.

“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.”

“There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.”

Strafach, who works for Sudo Security Group, reports that the apps have received a combined total of more than 18 million downloads.

On Strafach’s list are a number of apps which he classifies as “low risk” despite it being possible to intercept their data. These apps, some of which can leak usernames and passwords, geolocation data and even keystrokes, include:

  • ooVoo – Free Video Call, Text and Voice
  • VivaVideo – Free Video Editor & Photo Movie Maker
  • Snap Upload for Snapchat – Send Photos & Videos
  • Uconnect Access
  • Volify – Free Online Music Streamer & MP3 player
  • Uploader Free for Snapchat – Quick Upload Snap from Camera Roll
  • Epic! – Unlimited Books for Kids
  • Mico – Chat, Meet New People
  • Safe Up for Snapchat – Quick Upload photos and videos from your camera roll
  • Tencent Cloud
  • Uploader for Snapchat – Quick Upload Pics & Videos to Snapchat
  • Huawei HiLink (Mobile WiFi)
  • VICE News
  • Trading 212 Forex & Stocks
  • 途牛旅游-订机票酒店火车票汽车票特价旅行
  • CashApp – Cash Rewards App
  • FreeMyApps – Free Cash, Money & Gift Card
  • 1000 Friends for Snapchat – Get More Friends & Followers for Snapchat
  • YeeCall Messenger-Free Video Call & Conference Call
  • InstaRepost – Repost Videos & Photos for Instagram Free Whiz App
  • Loops Live
  • Privat24
  • Private Browser – Anonymous VPN Proxy Browser
  • Cheetah Browser
  • AMAN Bank
  • FirstBank PR Mobile Banking
  • vpn free – OvpnSpider for vpngate
  • Gift Saga – Free Gift Card & Cash Rewards
  • Vpn One Click Professional
  • AutoLotto: Powerball, MegaMillions Lottery Tickets
  • Foscam IP Camera Viewer by OWLR for Foscam IP Cams
  • Code Scanner by ScanLife: QR and Barcode Reader

However, it appears that these “low risk” apps discovered by Will Strafach are just the tip of the iceberg.

The researcher has declined to post details of the remaining apps that are considered to be at “medium” or “high risk”, as he says he is in the process of reaching out to affected banks, medical providers and other developers to get the vulnerable apps fixed – subject to a two- or three-month responsible disclosure period.

If you’re concerned, one thing to remember is that your chances of having data intercepted are greatly reduced if you use a cellular connection (which requires a hacker to deploy specialist expensive hardware) rather than Wi-Fi.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read