On February 6, iOS security researcher Will Strafach revealed that at least 76 iOS apps process TLS certificates in a way that makes the apps inherently insecure. Users have downloaded the vulnerable apps a combined 18 million times — and some of the potentially vulnerable data includes login credentials for financial and medical services.
How the Vulnerability Works
Strafach discovered that certain apps handle TLS certificates in a faulty way. Although the apps utilize TLS certificates to encrypt login information, they fail to properly confirm the validity of certificates before accepting them. A vulnerable app might accept a revoked an unsigned certificate as long as the expiration date hasn’t passed.
If you run one of the vulnerable apps on your device, it is theoretically possible for an attacker to intercept data by connecting to the same open Wi-Fi network or by simply sniffing the Wi-Fi packets coming from your device. Upon intercepting the communication, the attacker could insert an invalid TLS certificate and decrypt the data that you believe is secure.
Which Apps Are Vulnerable?
Strafach hasn’t yet revealed the names of the vulnerable applications that could allow cybercriminals to steal financial or medical information. Instead, he opted to contact the makers of those apps directly and give them adequate time to fix the vulnerabilities. Strafach will release the full list of vulnerable apps in April or May.
Some of the vulnerable apps include:
- Loops Live
- FirstBank PR Mobile Banking
- VPN One Click Professional
- Code Scanner by ScanLife
Several of the vulnerable apps allow users to download lists of VPNs. Exploiting the TLS vulnerability could allow an attacker to steal a VPN server list and replace it with a list of his own. The replaced list could potentially include the IP addresses of malicious servers that could further compromise the user’s private data.
How Can I Protect Myself?
Until the full list of vulnerable iOS apps is made public, you should exercise caution when using an iOS app to send or receive private information over a Wi-Fi connection. Even on a private Wi-Fi network, it is theoretically possible that an attacker could intercept data coming from your phone by sniffing and decrypting the Wi-Fi packets. For maximum safety, turn your phone’s Wi-Fi radio off when using the Internet from a public location. Use the phone’s cellular radio instead.
If you’re trying to avoid using your phone’s monthly data allotment, you can improve your phone’s Wi-Fi security by connecting to a VPN. Since a VPN creates a secure tunnel between your phone and the destination server, there’s little chance of an attacker intercepting an app’s TLS certificate. After you connect the phone to a public Wi-Fi network, though, the phone is still temporarily vulnerable until you connect to the VPN. Close any sensitive apps running in the background before you connect to the Wi-Fi network.
Is My Phone Completely Safe From Attackers If I Use the Cellular Connection?
Not necessarily. If you use a vulnerable iOS app on a cellular connection, it is still theoretically possibly that an attacker could intercept your communication and insert a rogue TLS certificate when you use a vulnerable app. However, Strafach says that there is little chance of an attacker compromising a vulnerable iOS app by intercepting a phone’s cellular communication. The hardware required to intercept cellular communication is bulky and costly. In addition, intercepting cellular communication is against the law.