Security Flaw Affects 1500 iOS Apps While Apple's OS X 10.10.3 'Rootpipe' Fix Proves Incomplete [Updated]

apple_security_iconOver the past few days a handful of reports have been accumulating in regards to two security flaws, one affecting roughly 1500 iOS apps and a second affecting OS X users despite Apple having tried to patch the vulnerability on OS X 10.10.3.

The first security flaw is making about 1500 iPhone and iPad apps vulnerable to hackers who could leverage the vulnerability to steal passwords, bank account information, and a handful of other sensitive information, according to Ars Technica. Discovered by security analytics firm SourceDNA last month, the "man-in-the-middle" attack was fixed in a 2.5.2 update to AFNetworking, the open-source code which housed the vulnerability.

Unfortunately, some developers have yet to update to the newest version of the code, leaving those 1500 apps open and vulnerable to the attack, which "can decrypt HTTPS-encrypted data" and essentially allows anyone generating a fake Wi-Fi hotspot access to a user's data on that same Wi-Fi connection. As a result, SourceDNA scanned and analyzed most apps on the App Store for the security flaw, and even created a search tool to discover if a particular app is under risk.

The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.

The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.

Some of the known apps currently vulnerable to the man-in-the-middle attack includes Citrix OpenVoice Audio Conferencing [Direct Link], Alibaba's mobile app [Direct Link], and even Movies by Flixster with Rotten Tomatoes [Direct Link]. SourceDNA urges users to check their most used apps in its search tool for the security flaw, and promises to remove apps that have been fixed and add ones discovered to be vulnerable as time goes on.

The other flaw, called "Rootpipe", dates back to 2011 and has been known for some time. Apple intended to patch the Rootpipe vulnerability in OS X 10.10.3 earlier this month, although older versions of OS X were left vulnerable. But as reported by Forbes, former NSA agent Patrick Wardle has discovered the flaw to still be present on Macs running OS X 10.10.3, as well as older versions.

Apple put additional access controls to stop attacks, but Wardle’s code was still able to connect to the vulnerable service and start overwriting files on his Mac. “I was tempted to walk into the Apple store this [afternoon] and try it on the display models – but I stuck to testing it on my personal laptop (fully updated/patched) as well as my OS X 10.10.3 [virtual machine]. Both worked like a charm,” Wardle told FORBES over email. In a blog post, he’d said his exploit was “a novel, yet trivial way for any local user to re-abuse Rootpipe”.

Discovered last October, the Rootpipe flaw essentially allows a hidden backdoor to be created on a particular system, opening up root access of a computer to a hacker after they obtain local privileges on the device. Physical access or previously granted remote access to the target machine is required in order for the vulnerability to be exploited.

Most recently, Apple faced the "FREAK" security flaw in its systems, making everything from an Apple TV to an iPod touch vulnerable to stolen sensitive information. The company issued a few security updates on all platforms in the weeks following the discovery of the security flaw, beefing up security and working to assuage public concerns. In regards to the man-in-the-middle iOS and re-emerging Rootpipe flaws, the company has yet to comment.

Update: Alamofire Software Foundation has posted a response to the controversy over the AFNetworking issue, refuting SourceDNA's claims about the number of apps affected by noting that even if an app used a vulnerable version of AFNetworking, it would not be susceptible to attack as long as communication is handled over HTTPS with SSL pinning.

If your app communicates over HTTPS and enables SSL pinning, it is not vulnerable to the reported MitM attacks

A significant proportion of apps using AFNetworking took the recommended step of enabling SSL certificate or public key pinning. Those applications are not vulnerable to the reported MitM attacks.

Alamofire's Mattt Thompson tells MacRumors that there is simply no way to tell whether or not an app is vulnerable without trying to to initiate a man-in-the-middle attack, which SourceDNA did not do. Regardless, all developers using AFNetworking in their apps should update to version 2.5.3 immediately.

Top Rated Comments

ovrlrd Avatar
80 months ago
Pretty silly that Apple can't just bundle this detection into their App Store approvals process. They could also issue massive warnings to app makers and give a deadline to fix or their apps get removed.
Score: 17 Votes (Like | Disagree)
tritonxl Avatar
80 months ago
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

It's not the platform that is insecure here. It's a third party library that doesn't properly handle HTTPS in an OLDER version that has since been updated and patched. It's the developers of the app that are at fault here.
Score: 16 Votes (Like | Disagree)
Raima Avatar
80 months ago
Thank you for bringing the rootpipe issue to the front page. More people need to be aware of it so Apple in their best interest will take action to patch it.
Score: 8 Votes (Like | Disagree)
teslo Avatar
80 months ago
'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?
Score: 7 Votes (Like | Disagree)
b0nd18t Avatar
80 months ago
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?
Score: 6 Votes (Like | Disagree)
till213 Avatar
80 months ago
'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?

1. Go to any public place (restaurant, train station, airport, ...)
2. Setup your own Wi-Fi hotspot, no password set
3. Don't call it EvilNetwork, but rather...
4. "Free WiFi"

Be surprised how many people will willfully connect to that "fake" Wi-Fi hotspot...
Score: 5 Votes (Like | Disagree)

Top Stories

apple watch 6s 202009

Bloomberg: Apple Watch Series 7 to Feature Thinner Screen Bezels, Faster Processor, and Updated Ultra Wideband Tech

Monday June 14, 2021 3:41 am PDT by
This year's Apple Watch Series 7 is likely to have thinner display bezels and use a new lamination technique that brings the display closer to the front cover, according to Bloomberg's Mark Gurman. From the report: The Cupertino, California-based tech giant is planning to refresh the line this year -- with a model likely dubbed the Apple Watch Series 7 -- by adding a faster processor,...
m1 imac back

Some M1 iMac Models Shipping With Crooked Mountings

Monday June 14, 2021 12:50 pm PDT by
Some M1 iMacs appear to have a manufacturing defect that causes the display to be mounted on the stand in a way that's not perfectly aligned, leading to a crooked display. YouTuber iPhonedo over the weekend published a review of the M1 iMac, and he found that his machine appeared to be tilted on one side, a mounting disparity that was visibly noticeable and proved with a ruler. Another...
studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
16 inch macbook pro m2 render

When Can We Expect the Redesigned MacBook Pros Now?

Wednesday June 16, 2021 7:11 am PDT by
With no sign of redesigned MacBook Pro models at this year's WWDC, when can customers expect the much-anticipated new models to launch? A number of reports, including investor notes from Morgan Stanley and Wedbush analysts, claimed that new MacBook Pro models would be coming during this year's WWDC. This did not happen, much to the disappointment of MacBook Pro fans, who have been...
apple new iphone case colors

Apple Releases New Sunflower, Cloud Blue and Electric Orange iPhone 12 Cases

Monday June 14, 2021 11:12 am PDT by
Apple today released silicone iPhone cases for the iPhone 12, 12 Pro, 12 Pro Max, and 12 mini in a series of new colors that include sunflower, cloud blue, and electric orange. Sunflower is a bright yellow shade, cloud blue is a soft, light blue, and electric orange is a bright orange that's darker than the kumquat color and more orange than pink citrus. The new cases are priced starting...
ipad iphone duo ios 12

Apple Releases iOS and iPadOS 12.5.4 Security Fix for Older iPhones and iPads

Monday June 14, 2021 10:15 am PDT by
Apple today released new iOS and iPadOS 12.5.4 updates, with the new software aimed at older devices that are unable to run the iOS 14 update that's available on modern devices. The iOS and iPadOS 12.5.4 updates can be downloaded for free and the software is available on all eligible devices over-the-air in the Settings app. To access the new software, go to Settings > General > Software...
files app ipados 15

iPadOS 15: Files App Gains NTFS Support, Progress Indicator, and More

Tuesday June 15, 2021 3:41 am PDT by
Apple in iPadOS 15 has added the ability to access NTFS-formatted media from within the Files app. The additional support for the Windows-related format, first discovered by YouTuber Steven Fjordstrøm, is read-only, so like on macOS you can't modify files stored on NTFS devices, but you can at least copy any data on them for working on elsewhere on your iPad. The Files app has also gotten a...
maxresdefault

Apple CEO Tim Cook: Sideloading Apps Would 'Destroy the Security' of the iPhone

Wednesday June 16, 2021 10:49 am PDT by
Apple CEO Tim Cook this morning participated in a virtual interview at the VivaTech conference, which is described as Europe's biggest startup and tech event. Cook was interviewed by Guillaume Lacroix, CEO and founder of Brut, a media company that creates short-form video content. Much of the discussion centered on privacy, as it often does in interviews that Cook participates in. He...
maxresdefault

Demo: Check Out AirPlay 2 on a Mac in macOS Monterey

Tuesday June 15, 2021 11:57 am PDT by
With macOS Monterey, Apple has introduced expanded AirPlay 2 support, so you can AirPlay content from an iPhone, iPad, or even another Mac to your main Mac. We thought we'd do a quick demo of this handy new feature in our latest YouTube video. Subscribe to the MacRumors YouTube channel for more videos. With AirPlay to Mac, you can extend or mirror an Apple device's display to a Mac, and since ...
nomad airtag wallet card 2

Nomad's Latest Accessory Makes It Easier to Put an AirTag in Your Wallet

Monday June 14, 2021 12:00 pm PDT by
Nomad, known for its range of accessories designed for Apple devices, today announced the Card for AirTag, which is designed to make it easier for an AirTag to fit inside a wallet for tracking purposes. With Card for AirTag, an AirTag fits inside the middle of a card-shaped holder that's then meant to fit inside of a wallet. According to Nomad, the design offers a smooth, uniform shape that...