iPhone/iPad user’s turn in the SSL bug spotlight
For those of you who read the security news, you know that this last 12 months has brought an amazing number of SSL bugs to the surface (see a few of my blog posts here and here and here). Now iPhone and iPad users have their turn to deal with an SSL bug.
The bug, in an open source toolkit used by developers to connect to the web called AFNetworking, disabled validation of SSL certificates that iApps received from a server. What that means is that any old certificate would be just fine. One from your bank. Or a hacker. Or anyone else.
If I can get on my soapbox for just one minute, this is another example of software supply chain issues just like the Lenovo/Superfish bug. The developer (Uber is one, for example), used a third party library. In this case, they may have tested the heck out of it – or not. When they first started using it, it was reasonably secure. Then they came out with an update that was not secure. Now Uber’s app is vulnerable. Worse yet, even if Uber did test the updated app, it is unlikely that they would have tested for the condition that made this app vulnerable. The software supply chain problem is not going away any time soon.
The good news is that the bug didn’t exist for long. The bug was created with the software release dated Feb 9, 2015 and fixed with a release dated March 26, 2015 – a period of about six weeks.
Now the bad news. There are over 100,000 apps in the iStore that use this library. However, we only have to deal with ones that were updated during this period (technically, this may not really be true because a developer could download the affected library during this window and not update it before releasing it outside this window, but this is the best indicator we have) – that represents about 20,000 apps. Next we have to narrow it down to which, of the 20,000, used the SSL features of AFNetworking. That is only about a thousand apps.
Now the badder news – or maybe gooder. The affected apps include ones from Yahoo, Microsoft, Uber, Citrix and others. Which means while over a million downloads were affected, those big companies will likely read the newspaper and update their apps quickly.
SourceDNA has created a web site where you can enter a developer name (such as Microsoft) and see what apps they have and if they are affected. This means that you have to enter each developer’s name and read the results – a time consuming effort. What would be much nicer is if someone would write an app to look at what is installed on your iDevice and tell you what is affected. That I have not found yet. Still, it is better than nothing. The website for SourceDNAs lookup is here.
For more details, see this article in ITWorld.