Usually when sensitive information is being transferred over a network, the application will open an encrypted connection with the server using SSL (Secure Sockets Layer). iOS ships with a list of Certificate Authorities whose SSL certificates should be trusted, helping to ensure traffic is only sent to trusted servers and not intercepted by a malicious third party using their own self-signed SSL certificate.
Unfortunately, a number of applications have been found to bypass the list included in iOS, and instead accept an SSL certificate issued by anybody. This means that, combined with another attack called ARP (Address Resolution Protocol) poisoning, an attacker on the same network as a user can view all of the traffic going to and from a given app and potentially obtain such sensitive details as passwords, bank account numbers, or even credit card information.
The good news is that a few of the companies who were notified that their apps had this problem responded promptly. E*TRADE has already released a partial fix, and have a more complete fix on the way. Users of TD Ameritrade and Credit Karma should keep an eye out for updates that are in the works. Cisco is also working on a fix for their WebEx app, and Cisco customers can view the bug details (login required).
Sadly, not all companies were as responsive. Users who recently dropped Instagram over their terms & conditions fiasco may be disappointed to learn that Flickr was among the applications found to be affected, but has no timeline for when a fix will be available. Similarly, Monster was unable to say when or if a fix might be released.
If you’re using H&R Block or Fandango you’re also out of luck for now; neither of them responded to emails about the issue. Users of Fandango should be particularly cautious about buying tickets within the app, as their credit card details will be transmitted and left vulnerable.
As if it weren’t enough to worry about what apps on your own devices are sending, the problem doesn’t end there. Payment system software Lavu Lite and EVERPay Mobile POS share this security issue. Lavu Lite has already released an update to fix it that merchants should be sure to go grab. And remember when Verifone accused Square of being insecure? One of Verifone’s own mobile payment apps, PAYware, has this vulnerability as well, though none of Square’s apps do. Verifone did not respond when contacted.
It’s important to stay mindful of who you’re trusting with your data. Incidents like this serve as a good reminder of why it’s important to remain vigilant about personal security practices. Using unique passwords for all of your accounts with an app like 1Password, and having a VPN service like Cloak available are a couple of things users can do to help protect themselves from things like this.
For more detailed technical information on this SSL issue and how to identify it in other apps, see the companion post on neglectedpotential.com