AFNetworking is a well-known open-source code library, which enables developers drop networking capabilities into their OS X and iOS products. But, it’s not able to check the domain name for which the SSL certificate has been circulated.
Any Apple iOS application using AFNetworking version preceding to the latest version 2.5.3, is vulnerable to this defect, which allows hackers to steal data or tamper with it. This may happen even if the app is protected by SSL (secure sockets layer) protocol.
Any of the SSL Certificate Can Be Used to Decode Users’ Sensitive Data
Any valid SSL certificate can be used by an attacker, for a domain name, so that the vulnerability can be exploited. And, so long as the certificate is issued by a credible authority (CA), it is something that can be bought for $50.
For example, it is possible to just pretend to be ‘facebook.com’ by providing a valid SSL certificate for ‘thehackernews.com’.
The vulnerability, estimated to have affected more than 25,000 iOS apps, was detected and reported by Ivan Leichtling from Yelp.
The issue has been fixed by AFNetworking in its latest release 2.5.3. The previous version – 2.5.2, failed to patch another SSL-related vulnerability.
The Issue Could Not Be Patched by Version 2.5.2
Earlier, it was known that with the release of AFNetworking 2.5.2, the absence of SSL certificate validation issue had been removed, which allowed hackers with self-created certificates to interrupt the encrypted traffic from vulnerable iOS apps and see the sensitive data that is sent to the server.
However, even after patching the vulnerability, Source DNA looked for vulnerable code present in iOS apps and located a number of apps that were vulnerable to the flaw.
Therefore, anyone who is in the position of man-in-the-middle, such as unsecured Wi-Fi networks or hackers, a state-sponsered hacker, or a rogue employee in a virtual private network, who presents their own CA-issued certificate can modify or monitor the protected communications.
Even Apps from Big Developers Found to Be Vulnerable
The iOS products who have their domain name validation turned off need to be careful, as security companies have found that apps from important developers, such as Wells Fargo, Bank of America and JPMorgan Chase are likely to be affected.
According to SourceDNA, iOS apps from top developers like Microsoft and Yahoo were meanwhile vulnerable to the HTTPS-crippling bug.
How to Prevent the Flaw
In order to prevent hackers from exploiting the vulnerability, the list of vulnerable iOS apps have not been disclosed.
However, it has been advised that web application audits need to be conducted and developers need to incorporate the latest AFNetworking build (2.5.3) in their products, so that the domain name validation can be enabled by default.
A free check tool is also being offered by SourceDNA, which can help developers as well as end users to check their apps for the vulnerability.
In the meantime, iOS users should also check the status of apps they use, especially the ones that use bank account details and other crucial information.