It is largely thought that iOS devices are secure, but we suppose apps and services that run on the platform are only as secure as the developers make them to be. Recently it has been discovered that over 1,500 iOS apps contain a HTTPS-crippling vulnerability which basically means that they are susceptible to password interception, along with bank account numbers, and other sensitive information that should have been secured.
The bug stems from the use of an older version of the AFNetworking open-source code library that allows developers to integrate networking capabilities inside of their apps. The developers behind AFNetworking have already released a patch that has fixed that flaw, but the apps that remain open to this vulnerability have yet to update to it and are still running version 2.5.1 instead of 2.5.2. The update has been released for over 3 weeks.
In the meantime it seems that there are some pretty big apps that are open to this vulnerability, such as the Citrix OpenVoice Audio Conference app, Alibaba’s mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and more. To exploit this vulnerability, hackers would just need to present the app with fake secure sockets layer certificates, which under normal circumstances would have been rejected but due to the bug, the app would trust it, resulting in the hacker being able to perform a man-in-the-middle attack.
SourceDNA, who discovered the flaw, has since released a tool which allows users/developers to check an app they are using to see if its affected by it. The database will be updated frequently to remove apps from the list once they have been fixed, and to add new apps that might still be using the older version of AFNetworking.