Header Ads

ATTENTION: 76 Famous Apps Found Vulnerable in iOS Store 2017



When downloading from a trusted app store, users generally believe security will not be an issue. Sadly, security can never be confirmed. Apple’s App Store, generally considered much secure compared to its contemporaries, was the recent prey. At least 76 popular iOS apps were found to be susceptible to data interception according to a report from a security expert.
These concerning findings come from verify.ly, a service created by Sudo Security Group CEO Will Strafach.
Strafach’s verify.ly service is dedicated to scanning apps in the iOS App Store searching for vulnerabilities to help developers understand how to harden and secure their code. The scans look for patterns in vulnerabilities to determine which applications are under threat.
The applications, found vulnerable to silent data interception, amassed over 18 million total downloads from the App Store. While each app is of varying risk level, needless to say, a user is safer with all of them removed from the system.

List of low-risk vulnerable apps

  1. Free Video Call, Text and Voice
  2. VivaVideo
  3. Snap Upload for Snapchat
  4. Uconnect Access
  5. Volify
  6. Uploader Free for Snapchat
  7. Epic! 
  8. Mico
  9. Safe Up for Snapchat
  10. Tencent Cloud
  11. Uploader for Snapchat
  12. Huawei HiLink (Mobile WiFi)
  13. VICE News
  14. Trading 212 Forex & Stocks
  15. 途牛旅游-订机票酒店火车票汽车票特价旅行
  16. CashApp
  17. FreeMyApps
  18. 1000 Friends for Snapchat
  19. YeeCall Messenger
  20. InstaRepost 
  21. Loops Live
  22. Privat24
  23. Private Browser
  24. Cheetah Browser
  25. AMAN BANK
  26. FirstBank PR Mobile Banking
  27. VPN free
  28. Gift Saga
  29. Vpn One Click Professional
  30. Music tube
  31. AutoLotto
  32. Foscam IP Camera Viewer by OWLR for Foscam IP Cams
  33. Code Scanner by ScanLife: QR and Barcode Reader
Must Read: 1 Million Google Accounts Compromised by Android Malware Gooligan
Usually, protection by Transport Layer Security, the protocol that secures communications between a client and a server, prevents such breaches. Since the apps fail to provide this security, an invalid TLS certificate injected into the communications can intercept user data. The interception is possible regardless of whether the developers use Apple networking security feature, App Transport Security.
Strafach, in a blog post on his findings, stresses that:
The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.
There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
He explained an attack could be carried out using custom hardware or a slightly modified smartphone. This mode of attack is comparable to that of a device that is able to skim data from credit cards.

Apps Susceptible to Data Interception

One of the affected apps was ooVoo, a popular video chat service that leaves usernames and passwords vulnerable to interception. The issue has been present in the app since 2013 according to a report from Double Encore engineer Nick Arnott.
Other apps found to be at risk included the official app for Vice News, several third-party Snapchat apps, banking apps based in Puerto Rico and Libya, and several popular and free VPN apps. The banking apps and VPNs are of particular concern as they should provide greater security and are more likely to carry sensitive information.
Must Read: Android VPN Apps Do Not Protect User Traffic & Privacy
Strafach stated that to protect data, it is a better idea to switch off your Wi-Fi and cellular data. Cellular networks are not as easily tracked as Wi-Fi networks. Hence, it is advisable to use cellular data to login to your bank account, make transactions and balance inquiry.
Strafach sorted the 76 apps into low, medium, and high-risk categories. He intends to reach out to developers to fix the problem before exposing the list of vulnerabilities.
The list will be revealed within ta few months so that cyber criminals can’t exploit apps before they are patched. Meanwhile, a list of low-risk apps has been released for user security. As of now, users are recommended to remove any app vulnerable to data interception, that they have installed.

No comments:

Powered by Blogger.