HTTPS encryption is good, but it won't protect you from the sort of man-in-the-middle attack that security researchers said this week can affect dozens of popular iPhone and iPad apps.
The attack derives its man-in-the-middle moniker from the fact that hackers can exploit it by routing your Internet traffic through their servers first before it arrives on the open Web. If they're able to do so—say, by hijacking your Wi-Fi connection—they'll be able to intercept data using a fake TLS certificate, one of the building blocks of HTTPS encryption. In most cases, they'll be undetected by the app security built into Apple's iOS mobile operating system, according to iOS security expert Will Strafach.
"The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use," iOS security expert Will Strafach wrote in a Medium post. "This can be anywhere in public, or even within your home if an attacker can get within close range."
It's not a new threat: hackers have been able to snoop on iOS and Android apps for years. But this particular implementation is significant, Strafach said, because there's little Apple can do to thwart it.
"Apple's 'App Transport Security' mechanism will see the connection as a valid TLS connection, as it must allow the application to judge the certificate validity if it chooses to do so," he explained. "There is no possible fix to be made on Apple's side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections."
Recommended by Our Editors
Instead, developers themselves must fix the issue by ensuring their code doesn't contain any vulnerabilities that would cause it to incorrectly identify a TLS certificate. In the meantime, end users can reduce their exposure by only using apps that send sensitive information when their phone is connected to a secured Wi-Fi network or using cellular data.
Strafach said he has confirmed that at least 76 iOS apps are vulnerable to the attack, and there could be hundreds more. The severity of the threat depends on the type of data the app is sending, with many apps only transmitting basic information like crash reports. He said he is withholding the names of many of the vulnerable apps to give their developers time to address the issue.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
