A number of popular apps, like Movies by Flixster and others, are currently affected by a security flaw that could make it easier for hackers to steal personal information like bank account information, passwords, credit card numbers, and more. The news was first reported by research firm SourceDNA.
The security flaw is present in a specific version of the AFNetworking protocol – version 2.5.1 – that was available to download between late January and March 25. The open source software is a popular tool developers use to offer networking capabilities in their apps.
According to SourceDNA, around 1,500 apps still suffer from the vulnerability. The firm analyzed around 1 million of the 1.4 million titles available in the App Store.
With the HTTPS flaw, hackers could easily intercept information using what is called a man-in-the-middle attack. When using an open wireless network, like at a coffee shop, the flaw makes it easier for attackers to see any confidential information you share in the app:
The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.
The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.
SourceDNA has also unveiled a tool where anyone can check to see if apps from a specific developer suffer from the issue. The company did say that a number of developers were already aware of the issue and in the process of updating their apps.
For now, if you’ve downloaded one of the affected apps, the best advice is to stay away from open, unencrypted Wi-Fi networks. And make sure to update all your apps on a timely basis.
For other news today, see: Keep track of your credit card rewards from your wrist with Wallaby, Carrot Weather delivers the forecast and a side of snark to your Apple Watch, and Is Tidal worth the hype and high cost?