iOS HTTPS Vulnerability
A number of security outlets are reporting on two HTTPS vulnerabilities affecting all iOS applications that use the AFNetworking library. The original report of the first vulnerability is available from SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production! SourceDNA gives a measure of the number of apps that are vulnerable in the article Finding Every Vulnerable App in the App Store.
There are several ways that this vulnerability could be exploited:
- A man-in-the-middle attack via a public wi-fi access point at a coffee shop. Banking and other passwords could be stolen.
- A man-in-the-middle attack executed via DNS hijacking.
- A man-in-the-middle attack executed via router hijacking.
The list goes from easiest to most difficult to implement, and from lowest impact to highest impact. A router hijack man-in-the-middle could allow an attacker to steal passwords for all accounts that use online banking during the time that the router hijack is in place.
Determining Whether or Not Your Bank’s Application is Vulnerable
SourceDNA has provided a tool to help you determine whether or not your application uses the vulnerable libraries: see iOS Security Report. According to this tool, several major banks’ applications are vulnerable to this problem.
It is likely that attackers are using similar methods to identify vulnerable applications and banks.
Apps that use key pinning are not vulerable, but it is difficult if not impossible for a user to determine whether or not the developer has implemented key pinning.
Fixing the Problem
AFNetworking 2.5.3 contains the fix to this problem, in the line item “Change validatesDomainName property to default to YES under all security policies”, but all apps need to be recompiled and updated in the App Store. Verify that your application vendor has updated your application.
Interest in AFNetworking
To understand how much effort is being put into either remediating the problem or developing attack code, Google Trends offers some insights into how often people are searching on “AFNetworking”, as shown in Figures 1 and 2 below.