Skip to main content

1,500 iOS apps are vulnerable to a security threat: Here’s how you can stay safe

Best Phablets Apple iPhone 6 Plus
Image used with permission by copyright holder
Apple’s operating systems are typically considered exceptionally safe and secure, but even Apple’s OS X and iOS aren’t  invulnerable to attacks from hackers and serious bugs. Recently, security firm SourceDNA revealed that an HTTPS-crippling flaw can be exploited in around 1,500 iOS apps. Hackers who discover the vulnerability can gain access to sensitive information such as credit card numbers and encrypted passwords through the affected apps.

We found that the vast majority of apps in the top 100 free apps on the App Store are safe.

Recommended Videos

We searched through the most commonly downloaded apps in the App Store, and found that very few of the most popular free and paid apps are still affected by the bug. Regardless, it’s best to check if your apps are vulnerable and to learn how to protect yourself.

Here’s everything you need to know.

Please enable Javascript to view this content

Here’s how hackers exploit the flaw

According to the security firm, around two million people have installed apps that suffer from the HTTPS-crippling vulnerability. The apps include Citrix OpenVoice Audio Conferencing, Alibaba’s mobile app, Movies by Flixster with Rotten Tomatoes, KYBankAgent 3.0, and Revo Restaurant Point of Sale, among others. The researchers are trying to keep the full list of apps under wraps so as to avoid opening iOS users up to more hackers who would use the vulnerability for nefarious purposes. However, on its website, SourceDNA offers a tool to developers so they can check if their apps are safe.

The researchers found that the vulnerability comes from a problem in an older version of an open-source code library called AFNetworking, which allows developers to add networking capabilities to their apps. AFNetworking fixed the issue about three weeks ago, and many developers have already updated their iOS apps to close the hole, but at least 1,500 iOS apps are still vulnerable. Among the companies that have already fixed the flaw are Yahoo, Uber, and Microsoft.

SourceDNA explained in a blog post that any app that’s still using the older version of the AFNetworking code is vulnerable to man-in-the-middle attacks that allow hackers to decrypt HTTPS-encrypted data. Here’s how it works: Hackers who want to exploit the flaw simply hop onto a coffee shop Wi-Fi network to monitor the targeted device. The hackers then send the device a fraudulent secure sockets layer certificate. Typically, the device would realize that the certificate is a fake, and the device would drop the connection immediately. However, devices with apps that run the older version of the AFNetworking code have a logic error that allows the fake certificate to pass without a security check.

The reason why the check is never carried out by these apps is that the AFNetwork version 2.5.1 doesn’t offer certificate pinning, which ensures that apps use a specific certificate for HTTPS authentication and encryption. The absence of this extra security check leaves the affected apps completely open to hackers. Now that SourceDNA has publicly revealed the vulnerability, app developers will most likely move to fix the flaw, but it could take time.

Here’s how to protect yourself

App updates iOS Based on the report, it seems that hackers have to target your device using public Wi-Fi networks like the ones found in cafes and stores. Any untrusted Wi-Fi network should be avoided for the time being. You can also turn off background app refresh on your iPhone or iPad, so the apps don’t try to connect to open networks.

If you’re concerned that your iPhone or iPad might house affected apps, you can check your apps using SourceDNA’s tool. You should also update all of your apps in case affected developers have already issued an update to patch the hole. You can update your apps by going to the App Store app and going to the updates tab in the bottom right-hand corner.

We used SourceDNA’s tool to search for a handful of popular apps on the App Store to see which ones are affected by the bug. We found that the vast majority of apps in the top 100 free apps on the App Store are safe. We also checked a handful of top paid apps and found very few affected.

Here’s a full list of the commonly-used apps:

  • Google – No vulnerable apps
  • Yahoo – Yahoo Finance version 2.3.2
  • Microsoft – OneDrive version 5.1
  • Facebook – No vulnerable apps
  • Snapchat – No vulnerable apps
  • Instagram – No vulnerable apps
  • Pandora – No vulnerable apps
  • Netflix – No vulnerable apps
  • WhatsApp – No vulnerable apps
  • Pinterest – No vulnerable apps
  • Twitter – No vulnerable apps
  • Spotify – No vulnerable apps
  • Skype – No vulnerable apps
  • Amazon – No vulnerable apps
  • Uber – Uber version 2.64
  • The Weather Channel – No vulnerable apps
  • Vine – No vulnerable apps
  • SoundCloud – SoundCloud version 3.8.1
  • eBay – No vulnerable apps
  • Waze – No vulnerable apps
  • Beats Music – No vulnerable apps
  • Viber – No vulnerable apps
  • Shazam – No vulnerable apps
  • Yelp – No vulnerable apps
  • Fitbit – No vulnerable apps
  • Tinder – No vulnerable apps
  • Dropbox – No vulnerable apps
  • Tumblr – No vulnerable apps
  • Slack – No vulnerable apps
  • Afterlight – No vulnerable apps
  • Minecraft – No vulnerable apps
  • Ustwo – No vulnerable apps
  • Dark Sky – No vulnerable apps

As you can see, the number of affected apps that are popular is actually very small, and that number continues to shrink as companies perform updating. While 1,500 apps sounds like a huge number, given the millions of apps in the App Store, the reality is much smaller than you might think. Nonetheless, it’s better safe than sorry, so check out your apps here.

Malarie Gokey
Former Digital Trends Contributor
As DT's Mobile Editor, Malarie runs the Mobile and Wearables sections, which cover smartphones, tablets, smartwatches, and…
The next iOS 18 update is on its way. Here’s what we know
The iPhone 16 sitting on top of orange mums.

When iOS 18.2 released just over a week ago, it unlocked a lot of long-awaited features like Image Playground, Visual Intelligence, and improvements to writing tools. Now, it seems like another update could be just around the corner: version 18.2.1.

MacRumors found evidence of the update in their analytic logs, a source that has supposedly revealed quite a few iOS versions before release. Given that this is a minor update, it isn't likely to come with new features or anything groundbreaking. Instead, it will most likely be targeted at bug fixes, although no specific problems have been named. You should expect this update to drop either in late December or early January, but a year-end release is more likely.

Read more
Have an old iPhone or iPad? You can no longer use this iCloud feature
An iPhone 6S in gold held against a red pipe.

If you own an older iPhone or iPad, it may be time to consider upgrading. As of December 18, the minimum requirement for using iCloud backups is iOS 9 or later, as support for iOS 8 and earlier versions has ended. This information was initially communicated to Apple users in November.

As noted by MacRumors, while iCloud support for devices running iOS 8 or earlier has ceased, you can still create manual backups on a Mac or Windows PC. If your device is currently on iOS 8, but can upgrade to a newer version, your iCloud backup capabilities will be restored.

Read more
Things still aren’t looking good for Apple’s iOS 19 update
iPhone 16 Pro Max in Desert Titanium.

The latest version of iOS 18.2 rolled out to (most) iPhone users yesterday, and it brought with it a slew of new features that fans have eagerly waited for. These include Visual Intelligence for iPhone 16, Genmoji, and Image Playground. However, this slower rollout of iOS 18 features is having an impact on development times for its next iteration, and that means iOS 19 might be delayed.

There have been whispers of delays before, so this doesn't come as a huge surprise — particularly when you think about how the production flow at Apple usually goes. In a Threads post, Bloomberg's Mark Gurman said: "I continue to hear that the gradual rollout of features across iOS 18 to iOS 18.4 is leading to delays of some features scheduled for iOS 19. That will lead to a long-term rollout of features next cycle as well. Engineers are stuck working on iOS 18 projects when they’d usually already be on to the following OS."

Read more