Security Certificate Flaw in Some iOS Apps Could Expose User Data
How often do you check the permissions you grant to apps installed on your iPhone? Do you ever enter sensitive information into apps, like emails, passwords, and more? With apps of every type and nature available on smartphones, it’s all too easy to supply these apps with critical data without a second thought. However, a recent find by a security firm CEO reveals that there are a substantial number of apps with a fundamental flaw that could expose this private information to an attacker. How does it work?
The flaw centers around the way apps accept Transport Layer Security certificates. TLS is a protocol for ensuring that data transmitted from an app to a server remains secure and free from tampering. Similar to the way SSL works on the web, these verify your device’s connection to the authorized server. In fact, TLS and SSL are often considered the same. However, many apps currently seem to use a configuration that leaves them vulnerable to improperly accepting a false certificate.
The potential dangers are numerous. If a user connects to a public wireless network, opens one of the insecure apps, and transmits personal information, they are vulnerable to “man in the middle” attacks. A hacker could supply a fake certificate to the app, which would accept it as valid. Then they can pose as the legitimate server, intercepting any of the information sent through the app. This data could include credit card numbers, or other personal data. The risk is even present on home wireless networks if an attacker is able to access your home wifi network – which is why it’s important to maintain strong secure access measures for your home network!
In the analysis conducted by Sudo Security Group, 76 apps examined showed moderate to severe flaws with regards to their handling TLS. It is unclear how many apps across the entire App Store exhibit similar shortcomings, however, logic dictates that there are bound to be more. Though no specific apps were named to allow time for the development of patches, users should be aware that this threat does exist.
This wake-up call should serve as a reminder to be cautious about which apps you install and what types of data you allow them to access. Even an app that seems trustworthy could mishandle your sensitive information in either transmission or storage. With a careful approach, you can increase your confidence in your information’s security without the need to rely solely on cellular data for all your activities.