iPhone

Experts from Sudo Security Group have discovered that at least 76 of the most popular iOS apps available through Apple's App Store have failed to properly implement TLS encryption and expose their users to silent MitM (Man-in-the-Middle) attacks.

Sudo Security researchers published yesterday a blog post that includes a list of 76 popular iOS apps and the content each one leaks via its TLS-encrypted traffic.

The list includes popular apps such as browsers, news apps, games, and many VPN and mobile banking apps.

Apps failed to secure HTTPS traffic the right way

Researchers say that these apps have followed Apple's ATS (App Transport Security) guidelines, which mandates they use HTTPS to handle sensitive data transfers between the app and the developer's server, even if Apple pushed back ATS deadline indefinitely last fall.

Despite their effort into securing traffic, Sudo experts say that app developers have not followed proper guidelines in validating and pinning HTTPS certificates.

This glaring security hole allows a third-party, such as a state-sponsored group, Internet service provider, or hacker running a malicious access point, to deliver forged SSL/TLS certificates and relay the user's HTTPS traffic via a proxy. This, in turn, allows the attacker to read the user's encrypted traffic and gain access to sensitive information.

A fifth of analyzed apps expose medical records, financial details

According to Sudo experts, 19 of the 76 apps they analyzed leaked high-risk data such as financial and medical information, passwords, and session authentication tokens for logged in users.

On the other hand, 24 of the 76 apps leaked medium-risk information such as passwords and authentication tokens, while the rest, 33 apps, leaked low-risk data such as emails, logins, and device hardware details.

Making matters worse is that these 76 apps account for a large chunk of the iOS userbase. According to app analytics platform Apptopia, the 76 iOS apps account for over 18 million installs.

Users that want to avoid having their traffic intercepted should only use WiFi networks they trust, and not connect to public Internet access points, which are easy to spoof without most users ever noticing.