Apple users have been warned that a number of popular iOS apps are vulnerable to being hacked.
Sudo Security Group CEO Will Strafach has revealed 76 Apple Store apps, including Snapchat, are failing to encrypt private information correctly.
Mr Strafach confirmed on Tuesday that iPhones with these particular applications are exposed to “silent interception” of protected data, as misconfigured code allows an invalid Transport Layer Security (TLS) certificate to be accepted.
TLS is used to secure an app’s communication over an internet connection, but faulty binary code opens users up to a considerable security risk.
He explained it as a “man-in-the-middle attack”, where a hacker can eavesdrop over a network and spy on the data the app sends – such as login information.
And all that’s needed is a Wi-Fi connection to intercept your data.
“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use,” Mr Strafach wrote.
“This can be anywhere in public, or even within your home if an attacker can get within close range.”
Which applications are at the greatest risk?
Mr Strafach declared that 43 of the apps were a high or medium risk of vulnerability, with authentication and login information exposed.
These apps included “banks, medical providers, and other developers of sensitive applications”, however he would not disclose their names to give developers time to fix the problem.
The remaining 33 apps were deemed low risks because they revealed only partially sensitive data, such as email addresses. This includes Snapchat, messaging service ooVoo, VICE news, and a number of lesser-known streaming services.
Using app market tracker Apptopia, there have been more than 18 million downloads of apps from the Apple store which have been affected by the vulnerability.
The apps’ weaknesses were discovered when scanned through security service verify.ly, which flagged “hundreds of applications” with a high likelihood of data interception.
Mr Strafach did so by running them on an iPhone using iOS 10 and a proxy to insert an invalid TLS certificate into the connection.
How to protect yourself
According to the research, the vulnerability is very likely to only be exploited if your connection is flowing over Wi-Fi.
Therefore, the best protection users of affected apps have is to turn off Wi-Fi when in a public location, and use a cellular connection.
“While on a cellular connection the vulnerability does still exist, cellular interception is more difficult, requires expensive hardware, is far more noticeable,” Mr Strafach said.
However for the most part, the only way to reduce the likelihood of attacks is for developers to patch the problem and change a few lines of code.
Mr Strafach provided a warning for developers.
“Be extremely careful when inserting network-related code and changing application behaviours,” he said.
“Many issues like this arise from an application developer not fully understanding the code they’ve borrowed from the web.”