Security Flaw Affects 1500 iOS Apps While Apple's OS X 10.10.3 'Rootpipe' Fix Proves Incomplete [Updated]

apple_security_iconOver the past few days a handful of reports have been accumulating in regards to two security flaws, one affecting roughly 1500 iOS apps and a second affecting OS X users despite Apple having tried to patch the vulnerability on OS X 10.10.3.

The first security flaw is making about 1500 iPhone and iPad apps vulnerable to hackers who could leverage the vulnerability to steal passwords, bank account information, and a handful of other sensitive information, according to Ars Technica. Discovered by security analytics firm SourceDNA last month, the "man-in-the-middle" attack was fixed in a 2.5.2 update to AFNetworking, the open-source code which housed the vulnerability.

Unfortunately, some developers have yet to update to the newest version of the code, leaving those 1500 apps open and vulnerable to the attack, which "can decrypt HTTPS-encrypted data" and essentially allows anyone generating a fake Wi-Fi hotspot access to a user's data on that same Wi-Fi connection. As a result, SourceDNA scanned and analyzed most apps on the App Store for the security flaw, and even created a search tool to discover if a particular app is under risk.

The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.

The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.

Some of the known apps currently vulnerable to the man-in-the-middle attack includes Citrix OpenVoice Audio Conferencing [Direct Link], Alibaba's mobile app [Direct Link], and even Movies by Flixster with Rotten Tomatoes [Direct Link]. SourceDNA urges users to check their most used apps in its search tool for the security flaw, and promises to remove apps that have been fixed and add ones discovered to be vulnerable as time goes on.

The other flaw, called "Rootpipe", dates back to 2011 and has been known for some time. Apple intended to patch the Rootpipe vulnerability in OS X 10.10.3 earlier this month, although older versions of OS X were left vulnerable. But as reported by Forbes, former NSA agent Patrick Wardle has discovered the flaw to still be present on Macs running OS X 10.10.3, as well as older versions.

Apple put additional access controls to stop attacks, but Wardle’s code was still able to connect to the vulnerable service and start overwriting files on his Mac. “I was tempted to walk into the Apple store this [afternoon] and try it on the display models – but I stuck to testing it on my personal laptop (fully updated/patched) as well as my OS X 10.10.3 [virtual machine]. Both worked like a charm,” Wardle told FORBES over email. In a blog post, he’d said his exploit was “a novel, yet trivial way for any local user to re-abuse Rootpipe”.

Discovered last October, the Rootpipe flaw essentially allows a hidden backdoor to be created on a particular system, opening up root access of a computer to a hacker after they obtain local privileges on the device. Physical access or previously granted remote access to the target machine is required in order for the vulnerability to be exploited.

Most recently, Apple faced the "FREAK" security flaw in its systems, making everything from an Apple TV to an iPod touch vulnerable to stolen sensitive information. The company issued a few security updates on all platforms in the weeks following the discovery of the security flaw, beefing up security and working to assuage public concerns. In regards to the man-in-the-middle iOS and re-emerging Rootpipe flaws, the company has yet to comment.

Update: Alamofire Software Foundation has posted a response to the controversy over the AFNetworking issue, refuting SourceDNA's claims about the number of apps affected by noting that even if an app used a vulnerable version of AFNetworking, it would not be susceptible to attack as long as communication is handled over HTTPS with SSL pinning.

If your app communicates over HTTPS and enables SSL pinning, it is not vulnerable to the reported MitM attacks

A significant proportion of apps using AFNetworking took the recommended step of enabling SSL certificate or public key pinning. Those applications are not vulnerable to the reported MitM attacks.

Alamofire's Mattt Thompson tells MacRumors that there is simply no way to tell whether or not an app is vulnerable without trying to to initiate a man-in-the-middle attack, which SourceDNA did not do. Regardless, all developers using AFNetworking in their apps should update to version 2.5.3 immediately.

Popular Stories

A18 Pro Chip

New MacBook With A18 Pro Chip Spotted in Apple Code

Monday June 30, 2025 8:05 am PDT by
Apple is developing a MacBook with the A18 Pro chip, according to findings in backend code uncovered by MacRumors. Earlier today, Apple analyst Ming-Chi Kuo reported that Apple is planning to launch a low-cost MacBook powered by an iPhone chip. The machine is expected to feature a 13-inch display, the A18 Pro chip, and color options that include silver, blue, pink, and yellow. MacRumors...
iPhone 17 Pro Lower Logo Feature 1

iPhone 17 Pro Coming Soon With These 14 New Features

Monday June 30, 2025 1:08 pm PDT by
Apple's next-generation iPhone 17 Pro and iPhone 17 Pro Max are less than three months away, and there are plenty of rumors about the devices. Apple is expected to launch the iPhone 17, iPhone 17 Air, iPhone 17 Pro, and iPhone 17 Pro Max in September this year. Below, we recap key changes rumored for the iPhone 17 Pro models:Aluminum frame: iPhone 17 Pro models are rumored to have an...
iPhone Car Key WWDC 2025

Apple Announces 13 Automakers Planning to Offer iPhone Car Keys

Friday June 27, 2025 11:42 am PDT by
In 2020, Apple added a digital car key feature to its Wallet app, allowing users to lock, unlock, and start a compatible vehicle with an iPhone or Apple Watch. The feature is currently offered by select automakers, including Audi, BMW, Hyundai, Kia, Genesis, Mercedes-Benz, Volvo, and a handful of others, and it is set to expand further. During its WWDC 2025 keynote, Apple said that 13...
maxresdefault

Five Features Coming to AirPods Pro 3

Friday June 27, 2025 10:52 am PDT by
Apple hasn't updated the AirPods Pro since 2022, and the earbuds are due for a refresh. We're counting on a new model this year, and we've seen several hints of new AirPods tucked away in Apple's code. Rumors suggest that Apple has some exciting new features planned that will make it worthwhile to upgrade to the latest model. Subscribe to the MacRumors YouTube channel for more videos. Heal...
macbook air spacegray purple

Apple Planning to Launch Low-Cost MacBook Powered By iPhone Chip

Monday June 30, 2025 3:20 am PDT by
Apple is planning to launch a low-cost MacBook powered by an iPhone chip, according to Apple analyst Ming-Chi Kuo. In an article published on X, Kuo explained that the device will feature a 13-inch display and the A18 Pro chip, making it the first Mac powered by an iPhone chip. The A18 Pro chip debuted in the iPhone 16 Pro last year. To date, all Apple silicon Macs have contained M-series...
anker power bank recall

PSA: Anker Recalls Multiple Power Banks Due to Fire Risk

Friday June 27, 2025 4:16 pm PDT by
Popular accessory maker Anker this month launched two separate recalls for its power banks, some of which may be a fire risk. The first recall affects Anker PowerCore 10000 Power Banks sold between June 1, 2016 and December 31, 2022 in the United States. Anker says that these power banks have a "potential issue" with the battery inside, which can lead to overheating, melting of plastic...
Chase Sapphire Reserve Apple Perk Feature

Chase Sapphire Reserve Card Introduces New Perk for Apple Customers

Wednesday June 25, 2025 2:08 pm PDT by
Chase this week announced a series of new perks for its premium Sapphire Reserve credit card, and one of them is for a pair of Apple services. Specifically, the credit card now offers complimentary annual subscriptions to Apple TV+ and Apple Music, a value of up to $250 per year. If you are already paying for Apple TV+ and/or Apple Music directly through Apple, those subscriptions will...
replay all time playlist apple music

Apple Music Debuts All-New Personalized Playlist

Monday June 30, 2025 7:16 am PDT by
As part of its 10-year celebrations of Apple Music, Apple today released an all-new personalized playlist that collates your entire listening history. The playlist, called "Replay All Time," expands on Apple Music's existing Replay features. Previously, users could only see their top songs for each individual calendar year that they've been subscribed to Apple Music, but now, Replay All...
iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17 Pro Launching in a Few Months With These 12 New Features

Thursday June 26, 2025 2:00 am PDT by
Apple's next-generation iPhone 17 Pro and iPhone 17 Pro Max are around three months away, and there are plenty of rumors about the devices. Apple is expected to launch the iPhone 17, iPhone 17 Air, iPhone 17 Pro, and iPhone 17 Pro Max in September this year. Below, we recap key changes rumored for the iPhone 17 Pro models:Aluminum frame: iPhone 17 Pro models are rumored to have an...

Top Rated Comments

ovrlrd Avatar
133 months ago
Pretty silly that Apple can't just bundle this detection into their App Store approvals process. They could also issue massive warnings to app makers and give a deadline to fix or their apps get removed.
Score: 17 Votes (Like | Disagree)
tritonxl Avatar
133 months ago
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

It's not the platform that is insecure here. It's a third party library that doesn't properly handle HTTPS in an OLDER version that has since been updated and patched. It's the developers of the app that are at fault here.
Score: 16 Votes (Like | Disagree)
Raima Avatar
133 months ago
Thank you for bringing the rootpipe issue to the front page. More people need to be aware of it so Apple in their best interest will take action to patch it.
Score: 8 Votes (Like | Disagree)
teslo Avatar
133 months ago
'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?
Score: 7 Votes (Like | Disagree)
b0nd18t Avatar
133 months ago
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?
Score: 6 Votes (Like | Disagree)
till213 Avatar
133 months ago
'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?

1. Go to any public place (restaurant, train station, airport, ...)
2. Setup your own Wi-Fi hotspot, no password set
3. Don't call it EvilNetwork, but rather...
4. "Free WiFi"

Be surprised how many people will willfully connect to that "fake" Wi-Fi hotspot...
Score: 5 Votes (Like | Disagree)