Apps Vulnerable to WiFi Snooping

Strafach categorized another 24 iOS apps as “medium risk.” Potentially intercepted information included service login credentials and session authentication tokens for users logged onto the network.

Strafach labeled the remaining apps “high risk” because potentially intercepted information included the snatching of financial or medical services login credentials.

He did not identify the medium and high risk apps by name, in order to give their makers time to patch the vulnerability in their apps.

How concerned should users be about their security when using these apps?

“I tried to leave out anything regarding concern level, as I do not want to freak people out too much,” Strafach told TechNewsWorld.

“While this is indeed a big concern in my opinion, it can be mostly mitigated by turning off WiFi and using a cellular connection to perform sensitive actions — such as checking bank balances — while in public,” he said.

 

Man in the Middle Attack

If anything, Strafach is understating the problem, maintained Dave Jevans, vice president for mobile security products at Proofpoint.

“We’ve analyzed millions of apps and found this is a widespread problem,” he told TechNewsWorld, “and it’s not just iOS. It’s Android, too.”

Still, it likely is not yet a cause for great alarm, according to Seth Hardy, director of security research at Appthority.

“It’s something to be concerned about, but we’ve never seen it actively exploited in the wild,” he told TechNewsWorld.

What the vulnerability does is enable a classic man-in-the-middle attack. Data from the target phone is intercepted before it reaches its destination. It is then decrypted, stored, re-encrypted and then sent to its destination — all without the user’s knowledge.

To do that, an app needs to be fooled into thinking it’s communicating with a destination and not an evesdropper.

“In order for a man-in-the-middle attack to be successful, the attacker needs a digital certificate that’s either trusted by the application, or the application is not properly vetting the trust relationship,” explained Slawek Ligier, vice president of engineering for security at Barracuda Networks.

“In this case, it appears that developers are developing applications in a way that allows any certificate to be accepted,” he told TechNewsWorld. “If the certificate is issued and not expired, they’re accepting it. They’re not checking if it’s been revoked or even if it’s properly signed.”