“Gartner Listed - mobile application security guide”

February 9, 2017

76 iOS apps with no TLS protection

The widespread view that iOS has higher mobile app security took a hit this week with news of 76 popular iOS apps being open to data theft after mobile app security testing.

The research from verify.ly, a service that does mobile app security testing of iOS apps for common security vulnerabilities, shows that number of iOS apps with millions of downloads failed mobile app security standards. The apps range from low risk third-party Snapchat add ons to high risk apps containing credentials for access to medical or financial data.

Mobile app security testing showed that the apps are vulnerable to man-in-the-middle attacks due to a failure of Transport Layer Security, the standard that secures client-server communications. This gives a way for a potential attacker to inject an invalid TLS certificate to intercept user data and obstructs a lot of other mobile app security measures.

Will Strafach, the CEO of Sudo Security Group and creator of Verify.ly, would require custom hardware or a modified mobile phone, and proximity to a user’s Wi-Fi network. The data that it is possible to intercept included usernames and passwords in one popular video chat app, ooVoo, and other user data from apps such as Vice News, as well as banking apps, and VPN apps where mobile app security standards are expected to be higher.

The fix for this issue relies on developers correcting their networking code in their iOS apps and checking it with mobile app security testing. There’s nothing Apple is able to do about this since it would stop apps from using certificate pinning in their connections. This is a widespread vulnerability that a lot of companies failed to fix in spite of multiple new releases of their apps.

 Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.