1,500 iOS apps are vulnerable to a security threat: Here’s how you can stay safe

Best Phablets Apple iPhone 6 Plus
Apple’s operating systems are typically considered exceptionally safe and secure, but even Apple’s OS X and iOS aren’t  invulnerable to attacks from hackers and serious bugs. Recently, security firm SourceDNA revealed that an HTTPS-crippling flaw can be exploited in around 1,500 iOS apps. Hackers who discover the vulnerability can gain access to sensitive information such as credit card numbers and encrypted passwords through the affected apps.

We found that the vast majority of apps in the top 100 free apps on the App Store are safe.

We searched through the most commonly downloaded apps in the App Store, and found that very few of the most popular free and paid apps are still affected by the bug. Regardless, it’s best to check if your apps are vulnerable and to learn how to protect yourself.

Here’s everything you need to know.

Here’s how hackers exploit the flaw

According to the security firm, around two million people have installed apps that suffer from the HTTPS-crippling vulnerability. The apps include Citrix OpenVoice Audio Conferencing, Alibaba’s mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale, among others. The researchers are trying to keep the full list of apps under wraps so as to avoid opening iOS users up to more hackers who would use the vulnerability for nefarious purposes. However, on its website, SourceDNA offers a tool to developers so they can check if their apps are safe.

The researchers found that the vulnerability comes from a problem in an older version of an open-source code library called AFNetworking, which allows developers to add networking capabilities to their apps. AFNetworking fixed the issue about three weeks ago, and many developers have already updated their iOS apps to close the hole, but at least 1,500 iOS apps are still vulnerable. Among the companies that have already fixed the flaw are Yahoo, Uber, and Microsoft.

SourceDNA explained in a blog post that any app that’s still using the older version of the AFNetworking code is vulnerable to man-in-the-middle attacks that allow hackers to decrypt HTTPS-encrypted data. Here’s how it works: Hackers who want to exploit the flaw simply hop onto a coffee shop Wi-Fi network to monitor the targeted device. The hackers then send the device a fraudulent secure sockets layer certificate. Typically, the device would realize that the certificate is a fake, and the device would drop the connection immediately. However, devices with apps that run the older version of the AFNetworking code have a logic error that allows the fake certificate to pass without a security check.

The reason why the check is never carried out by these apps is that the AFNetwork version 2.5.1 doesn’t offer certificate pinning, which ensures that apps use a specific certificate for HTTPS authentication and encryption. The absence of this extra security check leaves the affected apps completely open to hackers. Now that SourceDNA has publicly revealed the vulnerability, app developers will most likely move to fix the flaw, but it could take time.

Here’s how to protect yourself

App updates iOS Based on the report, it seems that hackers have to target your device using public Wi-Fi networks like the ones found in cafes and stores. Any untrusted Wi-Fi network should be avoided for the time being. You can also turn off background app refresh on your iPhone or iPad, so the apps don’t try to connect to open networks.

If you’re concerned that your iPhone or iPad might house affected apps, you can check your apps using SourceDNA’s tool. You should also update all of your apps in case affected developers have already issued an update to patch the hole. You can update your apps by going to the App Store app and going to the updates tab in the bottom right-hand corner.

We used SourceDNA’s tool to search for a handful of popular apps on the App Store to see which ones are affected by the bug. We found that the vast majority of apps in the top 100 free apps on the App Store are safe. We also checked a handful of top paid apps and found very few affected.

Here’s a full list of the commonly-used apps:

  • Google – No vulnerable apps
  • Yahoo – Yahoo Finance version 2.3.2
  • Microsoft – OneDrive version 5.1
  • Facebook – No vulnerable apps
  • Snapchat – No vulnerable apps
  • Instagram – No vulnerable apps
  • Pandora – No vulnerable apps
  • Netflix – No vulnerable apps
  • WhatsApp – No vulnerable apps
  • Pinterest – No vulnerable apps
  • Twitter – No vulnerable apps
  • Spotify – No vulnerable apps
  • Skype – No vulnerable apps
  • Amazon – No vulnerable apps
  • Uber – Uber version 2.64
  • The Weather Channel – No vulnerable apps
  • Vine – No vulnerable apps
  • SoundCloud – SoundCloud version 3.8.1
  • eBay – No vulnerable apps
  • Waze – No vulnerable apps
  • Beats Music – No vulnerable apps
  • Viber – No vulnerable apps
  • Shazam – No vulnerable apps
  • Yelp – No vulnerable apps
  • Fitbit – No vulnerable apps
  • Tinder – No vulnerable apps
  • Dropbox – No vulnerable apps
  • Tumblr – No vulnerable apps
  • Slack – No vulnerable apps
  • Afterlight – No vulnerable apps
  • Minecraft – No vulnerable apps
  • Ustwo – No vulnerable apps
  • Dark Sky – No vulnerable apps

As you can see, the number of affected apps that are popular is actually very small, and that number continues to shrink as companies perform updating. While 1,500 apps sounds like a huge number, given the millions of apps in the App Store, the reality is much smaller than you might think. Nonetheless, it’s better safe than sorry, so check out your apps here.


Tesla Model 3 vulnerability exposed at Pwn2Own; hackers take home the car

A Tesla Model 3 vulnerability was exposed at the Pwn2Own hacking competition. The hackers, who were able to display a message on the electric vehicle's internet browser, won $35,000 and took home the car.

24 must-have apps for rooted Android phones and tablets

Rooting your Android device opens up a world of possibilities, along with a few apps. Here are 24 of our favorites, so you can make the most of your rooted device and unleash the true power of Android.
Social Media

A Facebook, Instagram bug exposed millions of passwords to its employees

Facebook, Facebook Lite, and Instagram passwords weren't properly encrypted and could be viewed by employees, the company said Thursday. The network estimates millions of users were affected.

Browse safely and securely with Opera’s unlimited VPN on Android

Opera has added a new VPN to its Android browser, offering an easy way to keep your privacy and data locked up solid, and with no limits on usage or cost, you can keep it on all the time.

Scientists wreck a smartphone in a blender, but not just for fun

It’s oddly mesmerizing to watch a smartphone get torn apart inside a blender. Researchers recently did just that in a bid to find out which materials make up a handset, and also to encourage people to think more about recycling.
Movies & TV

Apple’s next big event is minutes away: Here’s what you can expect

Apple's next big event takes place on March 25 in Cupertino, California. The company is expected to make several announcements related to its services, including Apple TV, so follow our guide to get ready for the big event.

This $76,000 Grand Seiko watch has something in common with a plug-in hybrid car

How can a watch that costs $76,000 possibly have anything in a common with any car, let alone a plug-in hybrid? It's all about the complex, technically incredible Spring Drive movement inside this Grand Seiko watch.

The excellent Apple iPad gets even deeper price cuts on Amazon

The humble iPad from 2018 is still one of the best tablets around -- and a solid choice for most people. Amazon has seen some great price drops for these tablets recently, and now you can own an iPad for even less than before.

More than a screenshot: How to record the screen on an Android device

If you've ever want to record video of your Android screen, there are plenty of apps that can help. Here's an easy guide on how to record the screen on an Android device with the right settings and apps.

Apple March 2019 Event Coverage

Apple’s next event will take place March 25 at the Steve Jobs Theater in Cupertino, California at 10 a.m. PT. We’ve got a handy guide on how to watch, but don’t expect to see any new iPads, iMacs, or AirPods at the show, all of…
Product Review

Want to see how powerful the Snapdragon 855 chip is? Just rev up the Xiaomi Mi 9

How fast do you want to go? If the answer to this is “as fast as possible,” then take a long look at the Xiaomi Mi 9. It’s one of the highest performance smartphones you can buy. It’s a real monster, and we’ve been using it.

Apple Card is a credit card you can sign up for and start using with your iPhone

Apple is getting into the credit card business. Apple Card is a credit card you can sign up for directly on your iPhone, and it doesn't have fees. There's a lower interest rate and you can even get Daily Cash from all purchases.

Apple Arcade might be the new game subscription service worth signing up for

Apple Arcade will launch this fall bringing a new game-subscription service with cross-platform support for iOS, Mac, and Apple TV. At launch, the service will feature more than 100 exclusive games, with more added to the service regularly.

Check out 22 of the best iPhone 7 cases and covers for your shiny new phone

The iPhone 7 might be attractive, but it’s not rugged. To keep your device in pristine condition, you really need to think about proper protection. That's why we've rounded up some of the best iPhone 7 cases and covers available.