According to some recent news, dozens of popular iPhone apps are susceptive to attacks that could potentially allow hackers to infiltrate and steal sensitive, encrypted data. The findings, which were first released in a blog post on Monday, said that buggy apps could account for at least 18 million downloads.
iPhone Apps Vulnerable To Hacks
According to ZDNet, among the 33 named apps, Uconnect Access can potentially leak usernames and passwords, allowing a hacker to interfere with a user's vehicle; Huawei HiLink can also leak device data; geolocation data and even keystrokes can be intercepted by users who are using Cheetah Browser.
The Problem Is Getting Worse
Over 40 iPhone apps were confirmed as the medium or high risk of foreign attacks, allowing an attacker to infiltrate and disrupt financial or medical service credentials. Other affected apps were not immediately named but are reportedly subjected to a two- or three-month responsible disclosure period, during which the developers need to fix the issue.
About Strafach's Blog Post
Will Strafach, chief executive of Sudo Security Group, who wrote the blog post and whose company is also included in the mobile vulnerability space, claim that app users are safer when they are not using Wi-Fi. "When on a cellular connection, the vulnerability does still exist. Cellular interception is a lot more difficult, requiring expensive hardware, is far more noticeable, and it is straight-up illegal within the US," he said.
What might have been a simple enough problem is now difficult to fix across the board. Badly-implemented networking code by several app developers means that the app will accept any certificate to establish an encrypted connection, according to Strafach.
According to ARSTechnica, an attacker within nearby range of a vulnerable device could fool the app into accepting their unknown certificate, allowing them to collect any data to and from the app. To make matters worse, Apple's app transport security feature can't block off the attacker's certificate because it sees a valid encrypted connection.
Apple is yet to issue any statement regarding this matter.
