Many popular iOS apps not properly encrypting user data: Security researcher

08 Feb 2017

Many of the iOS apps supposed to be encrypting user data fail to do so properly, according to security researcher Will Strafach, CEO of Sudo Security Group.

According to Strafach, he found 76 iOS apps that were vulnerable to an attack that could intercept protected data.

The developers of the apps had accidentally misconfigured the networking-related code so that it would accept an invalid Transport Layer Security (TLS) certificate, Strafach said in a Monday blog post. 

TLS is used to secure an app's communication over an internet connection and in its absence, a hacker could essentially eavesdrop over a network to spy on whatever data the app sent, such as login information.

''This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use,'' Macworld reported quoting Strafach. ''This can be anywhere in public, or even within your home if an attacker can get within close range.''

Strafach identified the vulnerability in the 76 apps when he scanned them with his company-developed security service, verify.ly. Strafach is promoting the service which flagged ''hundreds of applications'' with a high likelihood of data interception.

According to Strafach, 43 of the apps were either a high or medium risk, as they risked exposing login information and authentication tokens.

The 76 apps fell into three categories, low-risk (33 apps), medium-risk (24 apps), and high-risk (19 apps).

High-risk apps leaked financial or medical service login credentials and session authentication tokens for logged users, while medium-risk app allowed hackers to intercept login credentials and session authentication tokens for logged in users.