Some Medical and Bank iOS Apps Are Exposing Login Details to Hackers

According to an iOS-focused security researcher, over 70 apps are screwing up their encryption implementations.

Feb 6 2017, 10:00pm

Smartphone apps may be convenient, fun, or a decent distraction, but plenty of them play a dangerous game with your data. Over 70 iOS apps are exposing user and device data to interception because they have been misconfigured or otherwise fail at handling encryption, according to a security researcher.

"Automatically scanning the binary code of applications within the Apple App Store en-masse allowed us to get a vast amount of information about these security issues," Will Strafach, an iOS-focused security researcher, wrote in a Medium post published on Monday. Strafach used his own web-based, app analysis service, to dig through the apps.

In short, many of these apps mishandle the way they transmit data that is normally encrypted, and will accept an encryption certificate—a file that authenticates where a request for data is coming from—no matter who made it.

"Whatever the case is, some just mess it up by not fully understanding the code they've input, and it ends up breaking the default validation that is in place so that instead of using the default store of trusted root [certificate authorities], the apps will accept any [certificate] signed by any [certificate authority]," Strafach told Motherboard in a Signal message.

In his Medium post, Strafach says he confirmed that each app was exposing data with an iPhone running iOS 10, the latest version, and then creating a malicious proxy that would insert an invalid encryption certificate into the connection.

"The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range. Such an attack can be conducted using either custom hardware, or a slightly modified mobile phone, depending on the required range and capabilities," Strafach writes.

In all, Strafach found 76 iOS apps vulnerable to this sort of attack, which, according to figures from Apptopia, may have been downloaded some eighteen million times. He split the apps into three different brackets—low, medium and high risk. Low risk apps expose stuff like analytics data and email addresses; medium deals with login credentials or authentication tokens; and the 19 high risk apps leave financial or medical service login details open to interception.

Strafach has not publicly named any of the medium or high risk apps as he is reaching out to the companies behind those pieces of software. But those affected include, as suggested, banks and medical providers.

According to Apple, there are more than 2.2 million applications in the App Store.

Strafach told Motherboard he doesn't want to freak people out however, and provides solutions for users, developers and companies. Some are short term: maybe users could switch off Wi-Fi when they're in a public location, so their data is only transmitted over their cellular connection, which arguably makes the data somewhat harder to intercept. While developers might want to be very careful when dealing with network-related code, Strafach writes.

"Thing is, when done right, you cannot intercept without the valid root certificate for a server. so issue is the amount of apps not doing it right," Strafach told Motherboard.