AFNetworking Vulnerability Exposts Thousands of iOS Apps to Attack
Alerts have emerged regarding a flaw in the open source AFNetworking library that enables Apple iOS and OS X developers to implement various networking functions in desktop and network applications. By failing to validate security certificates correctly, the bug lets black hats spoof security measures present in the device and masquerade as otherwise trusted web sites. Essentially, cyber thieves need only present any VALID certificate, not the certificate associated with the site in question. This flaw can be exploited to enable man-in-the-middle attacks and by-passing of SSL security – meaning presumed secure data streams from financial services, e-commerce, e-health, and other valuable personal information can be potentially exposed.
What’s interesting about the AFNetworking vulnerability is that it goes beyond the “usual” enterprise concerns to encompass the universe of Apple desktop and mobile applications developers and end-users. This vulnerability affects at least 25,000 iOS applications on the iTunes App Store and comes on the heels of another HTTPS bug in iOS libraries that affect an estimated additional 1500 apps, in total exposing data streams from devices of tens of millions of users
Read More (originally published on Open Source Delivers on 04/30/2015)