AFNetworking Vulnerability Exposts Thousands of iOS Apps to Attack

Alerts have emerged regarding a flaw in the open source AFNetworking library that enables Apple iOS and OS X developers to implement various networking functions in desktop and network applications. By failing to validate security certificates correctly, the bug lets black hats spoof security measures present in the device and masquerade as otherwise trusted web sites. Essentially, cyber thieves need only present any VALID certificate, not the certificate associated with the site in question. This flaw can be exploited to enable man-in-the-middle attacks and by-passing of SSL security – meaning presumed secure data streams from financial services, e-commerce, e-health, and other valuable personal information can be potentially exposed.

What’s interesting about the AFNetworking vulnerability is that it goes beyond the “usual” enterprise concerns to encompass the universe of Apple desktop and mobile appliciphone-hacked_bwana-CC-BY-NC-SA-2.0ations developers and end-users. This vulnerability affects at least 25,000 iOS applications on the iTunes App Store and comes on the heels of another HTTPS bug in iOS libraries that affect an estimated additional 1500 apps, in total exposing data streams from devices of tens of millions of users

Read More (originally published on Open Source Delivers on 04/30/2015)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: