While developing a service for evaluating the security of mobile applications, researchers at Sudo Security led by Will Strafach have discovered something unexpected: 76 popular applications in the App Store — including Vice News — downloaded an estimated 18 million times are still using communication through their backend services that is vulnerable to man-in-the-middle attacks.
This means that these apps can be fooled if a hacker decides to use a malicious proxy to insert an invalid certificate allowing their Transport Layer Security (TLS) and intercept data.
The service, developed by Sudo, is verify.ly, and it scans the binary code of applications within the App Store in bulk, hence allowing security researchers to get a vast amount of information about these security issues, Strafach wrote in a post on Medium uncovering their findings.
As detailed by Strafach, the data exposed by the security vulnerability in apps differs in terms of risk. Of the 76 (unnamed) apps identified, the risk is low, as all data confirmed as vulnerable to intercept is only partially sensitive, he said. It contains analytics data about the device, and partially sensitive personal information such as email addresses, login credentials and the like.
For 24 of the apps, though, the risk is medium, Strafach says, meaning that they were able to intercept login credentials and/or session authentication tokens for logged-in users.
The picture changes for the remaining 19 apps, as they pose high risks for their users: Strafach and his team were able to intercept financial or medical service login credentials and/or session authentication tokens for logged-in users.
So what can app users do? Essentially, nothing, except avoid accidental connections to public Wi-Fi networks, as they are most likely be the target of such attacks, and perform actions that involve sensitive data (think logging into your mobile banking app for example). You can still use the public Wi-Fi (not recommended, though), but the best way to perform these actions is to use your cellular connections, because it is much harder to intercept.
In the end everything depends on the app developers: They have to take the necessary measures to make their apps secure and ensure they are not vulnerable.