Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Dozens of popular iPhone apps are still exposing your login details
ZDNet ^ | May 4, 2017 | By Zack Whittaker

Posted on 05/05/2017 1:56:08 PM PDT by Swordmaker


Strafach, chief executive at Sudo Security Group (verify.ly), surveyed thousands of apps and found dozens that had badly implemented code that allowed the app to accept any certificate to establish an encrypted connection without properly validating it. That means a hacker within close range of a vulnerable device -- such as the same Wi-Fi network -- could trick the app into accepting a rogue certificate. The app doesn't know any better, and the hacker can steal your username and password.

Strafach disclosed the names of dozens of low-risk apps, but held off on disclosing the banking and medical apps in order to privately disclose the issue to each app developer.

Time has passed -- three months specifically, the standard time in any disclosure process -- and while some of the affected apps have been fixed, many have not.

Strafach confirmed that HipChat and Foxit PDF were the only two popular high-risk apps that were vulnerable, but were since fixed.

However, the majority of the rest of the apps were not fixed, and still expose user credentials.

Several banking apps, including Emirates NBD and 21st Century Insurance are still vulnerable to having the customer's username and password intercepted if the apps were subject to a man-in-the-middle attack.

CERT, the public vulnerability database run by Carnegie Mellon University, said in its disclosures posted Thursday that users of Think Mutual Bank and Space Coast Credit Union, which were also named in Strafach's list, should "not use affected versions of the application."

Also included in the list of apps that could expose usernames and passwords if intercepted include Yo, a social networking tool; Diabetes in Check, a blood glucose level checker; and Dolphin Web Browser, which promises the user "private" internet search.

And other apps, such as one that allows Indiana residents to vote, were vulnerable to attacks, said Strafach, though he didn't conduct extensive testing due to the sensitivity of the app.

Strafach said in a note that the easiest way to limit any issues is to use your phone's data plan, or not to use the app at all.



TOPICS: Business/Economy; Computers/Internet
KEYWORDS: applepinglist; appsecurity; ios; security

1 posted on 05/05/2017 1:56:09 PM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker

Where is the answer for avoiding this stuff? Smoke signals?


2 posted on 05/05/2017 1:57:25 PM PDT by RitaOK (Viva Christo Rey! Public Education/Academia are the farm team for more Marxists coming... infinitum.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; AFreeBird; ...
Dozens of not-so-popular "popular" iPhone and iPad Apps are exposing their users to man-in-the-middle attacks if the user uses them on an insecure WIFI network because the poorly written app doesn't properly validate authentication certificates. Although the discover of these flawed apps reported this problem to the publishers of these apps 90 days ago and some did update their apps to correct the authentication process, others have not. He advises to not use these apps until the publishers update them to be safe. I recommend you do not use any app with a risk of exposing financial or password exposure on ANY external WIFI network. — PING!

Thanks to TheBattman for the heads up.


Apple iOS Security Alert
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

3 posted on 05/05/2017 2:02:05 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: RitaOK
Where is the answer for avoiding this stuff? Smoke signals?

That's one solution. I'd just not use banking while drinking coffee at Starbucks or sitting at an airport waiting for your flight. If you must, use your phone for a hotspot instead of the public WIFI.

4 posted on 05/05/2017 2:04:24 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 2 | View Replies]

Here is a list of the Oh so "popular" iOS Apps that the article claims you should worry about because they are mid and high risk to exposing some data if used on an insecure WIFI public network. Notice how "popular" these apps are...

Ho hum . . . so disappointing that someone will find my password to EllenTube and watch Ellen Degenerate. . .

5 posted on 05/05/2017 2:23:42 PM PDT by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Precisely


6 posted on 05/05/2017 4:38:18 PM PDT by Nifster (I see puppy dogs in the clouds)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Swordmaker

Never heard of any of em


7 posted on 05/05/2017 4:39:48 PM PDT by Nifster (I see puppy dogs in the clouds)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker

I’m not sure they found them all. There are many who use the same app developer/framework for specific types of apps. Notice how many banking apps look VERY similar and function the same. It’s likely because the core code is the same among them with only customization done (kind of like web pages done with the same Wordpress template, just the colors and images/content change, but they all look very similar).

LOTS of banks (especially smaller banks) use the same basic app - and I doubt these folks were able to track down and test all of them.

But I do agree, none appear to be insanely popular!


8 posted on 05/05/2017 7:24:28 PM PDT by TheBattman (Gun control works - just ask Chicago...)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Nifster

The only one I’ve specifically heard of is the FOREX app from when I was investigating different online investment directions and knew that FOREX had an app. But that’s about it for the ones I’ve heard of, thankfully.


9 posted on 05/05/2017 7:25:34 PM PDT by TheBattman (Gun control works - just ask Chicago...)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Swordmaker

Disappointed to see Dolphin on the list. Love that browser for watching Youtube videos and doing searches. Often it’s faster than Safari on my machine, but not always.


10 posted on 05/05/2017 7:33:12 PM PDT by The Westerner (Protect the most vulnerable: get the government out of medicine and education!)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson