Security Flaw Affects 1500 iOS Apps While Apple's OS X 10.10.3 'Rootpipe' Fix Proves Incomplete [Updated]

apple_security_iconOver the past few days a handful of reports have been accumulating in regards to two security flaws, one affecting roughly 1500 iOS apps and a second affecting OS X users despite Apple having tried to patch the vulnerability on OS X 10.10.3.

The first security flaw is making about 1500 iPhone and iPad apps vulnerable to hackers who could leverage the vulnerability to steal passwords, bank account information, and a handful of other sensitive information, according to Ars Technica. Discovered by security analytics firm SourceDNA last month, the "man-in-the-middle" attack was fixed in a 2.5.2 update to AFNetworking, the open-source code which housed the vulnerability.

Unfortunately, some developers have yet to update to the newest version of the code, leaving those 1500 apps open and vulnerable to the attack, which "can decrypt HTTPS-encrypted data" and essentially allows anyone generating a fake Wi-Fi hotspot access to a user's data on that same Wi-Fi connection. As a result, SourceDNA scanned and analyzed most apps on the App Store for the security flaw, and even created a search tool to discover if a particular app is under risk.

The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.

The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.

Some of the known apps currently vulnerable to the man-in-the-middle attack includes Citrix OpenVoice Audio Conferencing [Direct Link], Alibaba's mobile app [Direct Link], and even Movies by Flixster with Rotten Tomatoes [Direct Link]. SourceDNA urges users to check their most used apps in its search tool for the security flaw, and promises to remove apps that have been fixed and add ones discovered to be vulnerable as time goes on.

The other flaw, called "Rootpipe", dates back to 2011 and has been known for some time. Apple intended to patch the Rootpipe vulnerability in OS X 10.10.3 earlier this month, although older versions of OS X were left vulnerable. But as reported by Forbes, former NSA agent Patrick Wardle has discovered the flaw to still be present on Macs running OS X 10.10.3, as well as older versions.

Apple put additional access controls to stop attacks, but Wardle’s code was still able to connect to the vulnerable service and start overwriting files on his Mac. “I was tempted to walk into the Apple store this [afternoon] and try it on the display models – but I stuck to testing it on my personal laptop (fully updated/patched) as well as my OS X 10.10.3 [virtual machine]. Both worked like a charm,” Wardle told FORBES over email. In a blog post, he’d said his exploit was “a novel, yet trivial way for any local user to re-abuse Rootpipe”.

Discovered last October, the Rootpipe flaw essentially allows a hidden backdoor to be created on a particular system, opening up root access of a computer to a hacker after they obtain local privileges on the device. Physical access or previously granted remote access to the target machine is required in order for the vulnerability to be exploited.

Most recently, Apple faced the "FREAK" security flaw in its systems, making everything from an Apple TV to an iPod touch vulnerable to stolen sensitive information. The company issued a few security updates on all platforms in the weeks following the discovery of the security flaw, beefing up security and working to assuage public concerns. In regards to the man-in-the-middle iOS and re-emerging Rootpipe flaws, the company has yet to comment.

Update: Alamofire Software Foundation has posted a response to the controversy over the AFNetworking issue, refuting SourceDNA's claims about the number of apps affected by noting that even if an app used a vulnerable version of AFNetworking, it would not be susceptible to attack as long as communication is handled over HTTPS with SSL pinning.

If your app communicates over HTTPS and enables SSL pinning, it is not vulnerable to the reported MitM attacks

A significant proportion of apps using AFNetworking took the recommended step of enabling SSL certificate or public key pinning. Those applications are not vulnerable to the reported MitM attacks.

Alamofire's Mattt Thompson tells MacRumors that there is simply no way to tell whether or not an app is vulnerable without trying to to initiate a man-in-the-middle attack, which SourceDNA did not do. Regardless, all developers using AFNetworking in their apps should update to version 2.5.3 immediately.

Top Rated Comments

ovrlrd Avatar
88 months ago
Pretty silly that Apple can't just bundle this detection into their App Store approvals process. They could also issue massive warnings to app makers and give a deadline to fix or their apps get removed.
Score: 17 Votes (Like | Disagree)
tritonxl Avatar
88 months ago
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

It's not the platform that is insecure here. It's a third party library that doesn't properly handle HTTPS in an OLDER version that has since been updated and patched. It's the developers of the app that are at fault here.
Score: 16 Votes (Like | Disagree)
Raima Avatar
88 months ago
Thank you for bringing the rootpipe issue to the front page. More people need to be aware of it so Apple in their best interest will take action to patch it.
Score: 8 Votes (Like | Disagree)
teslo Avatar
88 months ago
'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?
Score: 7 Votes (Like | Disagree)
b0nd18t Avatar
88 months ago
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?
Score: 6 Votes (Like | Disagree)
till213 Avatar
88 months ago
'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?

1. Go to any public place (restaurant, train station, airport, ...)
2. Setup your own Wi-Fi hotspot, no password set
3. Don't call it EvilNetwork, but rather...
4. "Free WiFi"

Be surprised how many people will willfully connect to that "fake" Wi-Fi hotspot...
Score: 5 Votes (Like | Disagree)

Popular Stories

maxresdefault

Review: M1 Max MacBook Pro After Three Months

Wednesday January 19, 2022 11:30 am PST by
It's now been a few months since the M1 Pro and M1 Max MacBook Pro models launched in October, and MacRumors video editor Dan Barbera has been using one of the new machines since they debuted. Over on the MacRumors YouTube channel, Dan has shared a three month review of his MacBook Pro to see how it has held up over time and how it's changed his workflow. Subscribe to the MacRumors YouTube ...
airpodsinear 1

AirPods Save Woman's Life With Feature Everyone Should Know

Friday January 21, 2022 2:13 am PST by
Apple's AirPods have been credited with saving a woman's life after a potentially fatal fall, People reports. When a 60-year-old florist in New Jersey tripped and hit her head in her studio, she lost consciousness and awoke heavily bleeding. With nobody around to call for help, she realized she had her AirPods in, and used a "Hey Siri" command to call 911. An operator was able to stay on the ...
iphone se 2020 top

New iPhone SE Likely to Launch in April Based on Production Timeframe

Wednesday January 19, 2022 6:44 am PST by
Apple suppliers will begin producing display panels for the third-generation iPhone SE this month, with final assembly of the device likely to start in March, according to information shared by display industry consultant Ross Young. Based on this production timeframe, Young believes the third-generation iPhone SE is likely to launch in the second half of April, or perhaps in early May at...
iphone 13 earpods

Apple to Stop Including EarPods With Every iPhone Sold in France From Next Week

Friday January 21, 2022 3:21 am PST by
Apple will no longer include EarPods with every iPhone sold in France, starting on January 24, according to a notice posted by a French carrier (via iGeneration). Apple was previously required to include EarPods in the box with the iPhone due to a French law that required every smartphone sold in the country to come with a "handsfree kit," but the law has now been changed in favor of reducing the ...
Spring 2022 Apple Products Feature

New iPad Air, Macs, and iPhone SE With 5G Likely to Be Announced at Apple Event This Spring

Thursday January 20, 2022 8:32 am PST by
Earlier this week, Bloomberg's Mark Gurman tweeted that Apple "will be holding a spring event" to announce a new iPhone SE and other hardware. In a recent edition of his newsletter, Gurman said the event is likely to occur in March or April. Gurman did not elaborate on what "other hardware" will be announced at Apple's purported spring event, but rumors suggest at least four products are...
appleeducation

Apple's US Education Store Now Requires Institution Verification to Buy Discounted Products

Wednesday January 19, 2022 2:22 am PST by
Apple is now requiring that customers in the United States verify that they're active students, teachers, or staff members at an educational institution in order to access education discounts on products. Previously, little verification was needed for customers to purchase products through Apple's education store in the United States. Apple's education stores offer models of the iPad and Mac ...
AirPods 3 New Firmware Feature

Apple Updates AirPods 3 Firmware to Version 4C170

Tuesday January 18, 2022 11:46 am PST by
Apple today released a new 4C170 firmware update for the AirPods 3, an update from the prior 4C165 that was made available in December. Apple does not offer details on what's included in new firmware updates for the AirPods‌, so we don't know what improvements or bug fixes the new firmware brings. There is no standard way to upgrade the ‌AirPods‌‌ software, but firmware is...
appleprivacyad cleaned

iOS 15 Patched Security Hole That Potentially Exposed Users' Private Apple ID Information to Third-Party Apps

Thursday January 20, 2022 3:32 am PST by
Apple patched two significant security vulnerabilities when it released iOS 15 that could have potentially exposed users' private Apple ID information and in-app search history to malicious third-party apps and allowed apps to override user Privacy preferences, Apple has revealed in a recent support document update. With most iOS, macOS, tvOS, and watchOS updates, Apple provides a list of...
apple watch series 7 aluminum colors yellowbg

Apple Watch Charging Bug Fixed in watchOS 8.4 Release Candidate

Thursday January 20, 2022 4:01 pm PST by
The watchOS 8.4 release candidate that was seeded to developers and beta testers this morning addresses an ongoing bug that could cause some Apple Watch chargers not to work properly with the Apple Watch. Back in December, we reported on a growing number of charging issues that Apple Watch Series 7 owners were facing. Since watchOS 8.3, there have been a number of complaints about...