76 popular iPhone apps found wide open to data interception attacks

When people ask me which smartphone they should buy from the security point of view, I invariably advise them to get an iPhone.

The malware attacks that have been seen against iOS devices have typically been sophisticated state-sponsored campaigns, focusing on high-risk targets. Apple’s tight hold on iOS security may not have won it universal love, but when compared to the significant amount of malware and adware seen being written for Android devices it’s clear that there’s no contest.

Furthermore, there is no doubt that Apple has done a much better job of keeping its iPhone and iPad customers patched with the latest security operating system updates than many of the Android manufacturers – some of whom have left their users in the lurch with badly out-of-date and at-risk software.

But malware and operating system vulnerabilities aren’t the only considerations.

The truth is that the most significant threat is probably not your chances of encountering malware, or whether your OS is properly patched, but rather the third-party apps that you have installed on your device.

After all, you don’t know what your apps are *really* doing do you, or how well they’re keeping your sensitive information safe and secure?

New research has discovered scores of buggy iOS apps that do a lousy job of securing users’ information, and could be making life all too easy for hackers keen to intercept and steal data.

Security researcher Will Strafach says that he was able to identify 76 popular apps in the official App Store that failed to make use of the Transport Layer Security (TLS) protocol, and allowed a malicious attacker to silently perform a man-in-the-middle (MiTM) attack, stealing or manipulating data as it is sent and received from the mobile device.

“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.”

“There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.”

Strafach, who works for Sudo Security Group, reports that the apps have received a combined total of more than 18 million downloads.

On Strafach’s list are a number of apps which he classifies as “low risk” despite it being possible to intercept their data. These apps, some of which can leak usernames and passwords, geolocation data and even keystrokes, include:

ooVoo – Free Video Call, Text and Voice
VivaVideo – Free Video Editor & Photo Movie Maker
Snap Upload for Snapchat – Send Photos & Videos
Uconnect Access
Volify – Free Online Music Streamer & MP3 player
Uploader Free for Snapchat – Quick Upload Snap from Camera Roll
Epic! – Unlimited Books for Kids
Mico – Chat, Meet New People
Safe Up for Snapchat – Quick Upload photos and videos from your camera roll
Tencent Cloud
Uploader for Snapchat – Quick Upload Pics & Videos to Snapchat
Huawei HiLink (Mobile WiFi)
VICE News
Trading 212 Forex & Stocks
é€”ç‰›æ—…æ¸¸-è®¢æœºç¥¨é…’åº—ç«è½¦ç¥¨æ±½è½¦ç¥¨ç‰¹ä»·æ—…è¡Œ
CashApp – Cash Rewards App
FreeMyApps – Free Cash, Money & Gift Card
1000 Friends for Snapchat – Get More Friends & Followers for Snapchat
YeeCall Messenger-Free Video Call & Conference Call
InstaRepost – Repost Videos & Photos for Instagram Free Whiz App
Loops Live
Privat24
Private Browser – Anonymous VPN Proxy Browser
Cheetah Browser
AMAN Bank
FirstBank PR Mobile Banking
vpn free – OvpnSpider for vpngate
Gift Saga – Free Gift Card & Cash Rewards
Vpn One Click Professional
AutoLotto: Powerball, MegaMillions Lottery Tickets
Foscam IP Camera Viewer by OWLR for Foscam IP Cams
Code Scanner by ScanLife: QR and Barcode Reader

However, it appears that these “low risk” apps discovered by Will Strafach are just the tip of the iceberg.

The researcher has declined to post details of the remaining apps that are considered to be at “medium” or “high risk”, as he says he is in the process of reaching out to affected banks, medical providers and other developers to get the vulnerable apps fixed – subject to a two- or three-month responsible disclosure period.

If you’re concerned, one thing to remember is that your chances of having data intercepted are greatly reduced if you use a cellular connection (which requires a hacker to deploy specialist expensive hardware) rather than Wi-Fi.