Application Analysis Services SourceDNA on Monday released a report that about 1,500 iOS applications exist “HTTPS-crippling” loophole. The vulnerability could allow hackers to intercept encrypted user information, such as passwords, bank account numbers or other highly sensitive information. SourceDNA expected, there are more than 200 million users installed the security risks of applications, such as Citrix OpenVoice Audio Conferencing, Alibaba (Alibaba.com) mobile applications, KYBankAgent 3.0 and Revo Restaurant Point of Sale and so on.
The vulnerability exists in earlier versions of AFNetworking in. AFNetworking is an open source web development framework that allows developer who add network functionality in their applications. Although the latest version 2.5.2 fixes the vulnerability was three weeks ago, but there are at least 1500 applications using iOS 2.5.1 version there is hidden.
To exploit the vulnerability to attack, the hacker can simply use the Internet or elsewhere WiFi network monitoring loopholes iOS device, and then use the Secure Sockets Layer certificate to a fake attack. Under normal circumstances, this fake certificate will be detected immediately. However, due to a logic error 2.5.1 version of the code, it does not validate the counterfeit certificate, the certificate is seen as legitimate.
SourceDNA believed that many developers are unaware of the security breach. Thus, only 1,000 affected apps SourceDNA were found on April 1, this figure rose to 1,500 on April 18. It is up to the developers of iOS Apps concerned, this update as soon as possible and offer a fix on the App Store.
A search of SourceDNA lets you search for relevant Apps. For a complete list of all the apps in question to set intentionally not available.
SourceDNA initially did not disclose the name of the affected applications, so that developers have time to upgrade. Today, SourceDNA provides a search tool that allows users to search by iOS developer name.
Last month, Apple had to repair the effects FREAK iOS system security vulnerabilities. The vulnerability is a 1990s American legal history residue was legal restrictions on the export RSA encryption key, still get a lot of browser support.