Dozens of popular iPhone apps are still exposing your login details

Strafach, chief executive at Sudo Security Group (verify.ly), surveyed thousands of apps and found dozens that had badly implemented code that allowed the app to accept any certificate to establish an encrypted connection without properly validating it. That means a hacker within close range of a vulnerable device -- such as the same Wi-Fi network -- could trick the app into accepting a rogue certificate. The app doesn't know any better, and the hacker can steal your username and password.

Strafach disclosed the names of dozens of low-risk apps, but held off on disclosing the banking and medical apps in order to privately disclose the issue to each app developer.

Time has passed -- three months specifically, the standard time in any disclosure process -- and while some of the affected apps have been fixed, many have not.

Strafach confirmed that HipChat and Foxit PDF were the only two popular high-risk apps that were vulnerable, but were since fixed.

However, the majority of the rest of the apps were not fixed, and still expose user credentials.

Several banking apps, including Emirates NBD and 21st Century Insurance are still vulnerable to having the customer's username and password intercepted if the apps were subject to a man-in-the-middle attack.

CERT, the public vulnerability database run by Carnegie Mellon University, said in its disclosures posted Thursday that users of Think Mutual Bank and Space Coast Credit Union, which were also named in Strafach's list, should "not use affected versions of the application."

And other apps, such as one that allows Indiana residents to vote, were vulnerable to attacks, said Strafach, though he didn't conduct extensive testing due to the sensitivity of the app.

Strafach said in a note that the easiest way to limit any issues is to use your phone's data plan, or not to use the app at all.

Dozens of not-so-popular "popular" iPhone and iPad Apps are exposing their users to man-in-the-middle attacks if the user uses them on an insecure WIFI network because the poorly written app doesn't properly validate authentication certificates. Although the discover of these flawed apps reported this problem to the publishers of these apps 90 days ago and some did update their apps to correct the authentication process, others have not. He advises to not use these apps until the publishers update them to be safe. I recommend you do not use any app with a risk of exposing financial or password exposure on ANY external WIFI network. — PING!

Thanks to TheBattman for the heads up.

Apple iOS Security Alert
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

Here is a list of the Oh so "popular" iOS Apps that the article claims you should worry about because they are mid and high risk to exposing some data if used on an insecure WIFI public network. Notice how "popular" these apps are...

“HipChat — Free group chat for teams & business” by HipChat, Inc. (CVE-2017–8058) - FIXED
“Foxit PDF — PDF reader, editor, form, signature” by Foxit Corporation (CVE-2017–8059) - FIXED
“Panda Mobile Security” by Panda Security, S.L. (CVE-2017–8060)
“Think Mutual Bank — Mobile Banking App” by Think Mutual Bank (CVE-2017–3213)
“Emirates NBD” and “Emirates NBD KSA” by Emirates NBD Bank P.J.S.C (CVE-2017–5915)
“State Bank Anywhere” by State Bank of India (CVE-2017–5901)
“Dollar Bank Mobile” by Dollar Bank (CVE-2017–5905)
"PayQuicker” by PayQuicker (CVE-2017–5902)
“EFS Mobile Driver Source” by Electronic Funds Source LLC (CVE-2017–5909)
“Diabetes in Check: Blood Glucose & Carb Tracker” by Everyday Health, Inc (CVE-2017–5906)
“Supermóvil” by Banco Santander Mexico SA — Mexico (CVE-2017–5911)
“FOREXTrader for iPhone” by FOREX.com (CVE-2017–5912)
“TradeKing Forex for iPhone” by TradeKing (CVE-2017–5913)
“Banque Zitouna” by DOT IT (CVE-2017–5914)
“America’s First FCU Mobile Banking” by America’s First Federal Credit Union (CVE-2017–5916)
“BCR Móvil” by Banco de Costa Rica (CVE-2017–5918)
“21st Century Insurance” by 21st Century Insurance (CVE-2017–5919)
”Indiana Voters” by Quest Information Systems
“Dolphin Web Browser –Fast Private Internet Search” by MoboTap Inc. (“ellentube” by Warner Bros.
“Yo.” by Life Before Us, LLC
“Radio Javan” by RADIO JAVAN INC.
“ellentube” by Warner Bros.
“Zipongo — Healthy Recipes and Grocery Deals” by Zipongo, Inc.
“Interval International” by Interval International
“ShopWell — Healthy Diet & Grocery Food Scanner” by YottaMark, Inc.
“PUMATRAC” by PUMA AG

Ho hum . . . so disappointing that someone will find my password to EllenTube and watch Ellen Degenerate. . .

I’m not sure they found them all. There are many who use the same app developer/framework for specific types of apps. Notice how many banking apps look VERY similar and function the same. It’s likely because the core code is the same among them with only customization done (kind of like web pages done with the same Wordpress template, just the colors and images/content change, but they all look very similar).

LOTS of banks (especially smaller banks) use the same basic app - and I doubt these folks were able to track down and test all of them.

But I do agree, none appear to be insanely popular!

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.