An iOS app analysis service has found that 76 popular iPhone apps are confirmed to be vulnerable to the silent interception of TLS-protected data.
Beware of these popular iPhone apps
During testing, developers of verify.ly a mobile app analysis service found issues with many popular iPhone apps. Here are the details we have so far:
- 76 popular iPhone apps let a secret man-in-the-middle attack to be performed on connections that should otherwise be protected by TLS (HTTPS). This MitM vulnerability lets data be intercepted and manipulated.
- According to Apptopia, there has been a combined total of 18 million downloads of these apps.
- 33 of the apps are low-risk, 24 apps are medium-risk, and 19 apps are high-risk.
- Apple’s new App Transport Security protocol does not and cannot prevent this vulnerability.
Some Apps At Risk
Snap Upload for Snapchat
Uploader Free for Snapchat
Epic! Unlimited Books for Kids
Mico-Chat, Meet New People
Safe Up For Snapchat
Huawei HiLink (Mobile Wi-Fi)
Read the original article on Medium for more details. Guys, you don’t need to use a third-party app to post photos on Snapchat. Just use the official Snapchat app, which presumably has much better security than an unknown, third-party app.
Apps deemed medium/high risk have not been publicly listed yet out of respect for the companies. Only after the companies have been contacted, and their iPhone app patched, will the list be published. They are claiming this should happen within 60 to 90 days.
How To Help
First, the iOS users at most risk are WiFi users. If you use any of these iPhone apps, switch Wi-Fi off and go to a cellular connection. The vulnerability still exists on cellular, but mobile network interception is tough and requires expensive hardware. The hardware is illegal in the United States. In general, a MitM attack on a mobile network would be more noticeable.
If you must use WiFi, then it’s possible that using a VPN may help mitigate some of the risks. Since a VPN tunnels your web traffic through secure servers, using a VPN service like LiquidVPN should encrypt the data before any man in the middle can get their hands on it.