As many as 1,500 iOS apps are vulnerable to an HTTPS flaw that would allow an attacker to bypass security and steal passwords or other sensitive data.
According to SourceDNA, the problem traces back to AFNetworking, an open-source code library many apps use for networking functions. Version 2.5.1, released in January, accidentally introduced a bug which could let someone on the same WiFi network — or otherwise able to monitor a connection — present a fake SSL certificate and successfully decrypt HTTPS data.
The problem was solved with a v2.5.2 update three weeks ago, but many iOS apps are still using the old code. SourceDNA said it analysed one million of the 1.4 million titles in the App Store, including all free titles, but only the top 5,000 paid ones. Affected apps were not only using an outdated version of AFNetworking but failing to use certificate pinning, which allows only a specific certificate for HTTPS. Pinning is off by default in AFNetworking.