Most used South African iOS apps affected by MiTM security flaw

Update: A second vulnerability was found – read the follow-up post here: Several South African iOS apps vulnerable

A security report was released which higlights that more than 1500 iOS apps are affected by a SSL MiTM attack in AFNetworking 2.5.1. It turned out that because of a logic flaw in the latest version of the library, SSL MiTM attacks are feasible in apps using AFNetworking 2.5.1. Full details on how the scan is performed and the period of the vulnerability window is detailed in this link.

The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates. Given that AFNetworking library is one of the most popular networking library for iOS and OS X and it is used by Pinterest, Heroku and Simple among others, the problem could affect a very high number of mobile users.

The issue was first raised in February 13th, 2015 and was only patched on 27.03.2015 with 2.5.2 and should have given suppliers sufficient time to patch their apps. Looking at the top used apps in South Africa (according to iTunes Top Grossing / Free), there are several apps using outdated AFNetworking libraries and most either upgraded to the latest version or some downgraded to bypass the exposure window:

  • All SA banking apps: ok
  • Endomondo: ok
  • Fitbit: ok
  • Groupon: ok
  • LinkedIn: ok
  • Multichoice: ok
  • PayPal: ok
  • Takealot: ok
  • Tinder: ok
  • Uber: vulnerable
  • Zomato: Zomato – Food & Restaurant Finder – ok

This is by no means a comprehensive list, and you should check your own apps via the following link and ensure that you upgrade: Most of the apps listed above use outdated versions (i.e. 2.5.0 or lower) or have just recently upgraded to 2.5.2. Uber for example chose to downgrade from 2.5.1 to 2.5.0 to avoid the vulnerability, which is also quite bizarre. A sign of comfort is that none of the South African financial apps use AFNetworking or have ever been affected by this.

Note: Just because any of the apps mentioned included an outdated/vulnerable library, does not mean that you have been exposed by the vulnerability, but it is certainly advisable to revisit your application passwords and/or data you managed in your apps to prevent any issues.