R Ju2ljgAt least 76 popular iOS apps have been found to be vulnerable to data inception, according to a report from a security expert.

The discovery was made by app binary code scanning service verify.ly and published in a Medium post by Sudo Security Group CEO Will Strafach, who revealed that the apps failed to make use of the Transport Layer Security protocol.

The TLS protocol secures communication between client and server. Without the protection, the apps are susceptible to data interception by an attacker with access to custom hardware such as modified smartphone, which can be used to initiate TLS certificate injection attacks. The interception is possible regardless of whether the developers chose to use Apple networking security feature, App Transport Security.

The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.

There is no possible fix to be made on Apple's side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.

Apps in the vulnerable list included a number of popular downloads like third-party Snapchat apps, the official app for Vice News, and banking apps for banks based in Puerto Rico and Libya.

Strafach sorted the 76 apps into low, medium, and high risk categories, and says he is reaching out to developers to fix the problems before disclosing the most high-risk apps in the list. According to Strafach, more than 18,000,000 downloads of the vulnerable app versions have been downloaded from the App Store.

Until the issues are dealt with, Strafach advises users of the apps to avoid accessing them over Wi-Fi, as it's harder to exploit the vulnerabilities over a cellular network.

Tags: App Store, Security

Top Rated Comments

Kabeyun Avatar
Kabeyun
117 months ago
For the tl;dr crowd, the medium and high security risk app list won't be published for 60-90 days to give the devs time to mitigate the exploit. Bookmark the page and check back then!
This shows us, again, that Apple's scrutiny is far from perfect. In the mean time use VPN.
Not really, or at least this is a misleading statement. Obscure networking attacks are hardly particular to Apple devices. That's what bug bounties and security updates are for in all OS's. But if you prefer the wild west of the uncurated Google play store, go right ahead. But I agree with using a VPN service. Anyone who's fool enough to conduct financial transactions on an open WiFi network...
Score: 7 Votes (Like | Disagree)
Kabeyun Avatar
Kabeyun
117 months ago
There is nothing wrong or misleading about the fact that Apple missed it, and since security is important to all of us... that is why Apple should have caught the problem long before security researchers do (did in this specific case).
Respectfully disagree. The headline, "15,000 Ford cars involved in accidents this year" implies that there's something about Fords that's a particular problem. It may be true that app clearinghouses like Apple's App Store should scrutinize every line of submitted code, but it's misleading to suggest that this is a particularly Apple problem.
Score: 2 Votes (Like | Disagree)
nwcs Avatar
nwcs
117 months ago
Very much expected. Security is a moving target for both developers and consumers. What may be totally secure today could be insecure tomorrow. As for TLS, only TLS 1.2 is currently secure so it's using the right version at the right time. You also have to stay on top of third party libraries and think like an attacker. Troy Hunt shows how easy it is to break the security of a lot of apps. The problem is people don't think like an attacker and so miss critical areas.
Score: 1 Votes (Like | Disagree)
I7guy Avatar
I7guy
117 months ago
Maybe Apple's screeners shoulda woulda coulda, but it's completely fair for Apple to advertise iOS as safest and macOS as most secure vs major competitors. No guarantees ever, they don't claim it, and people don't expect a guarantee.

This problem exists in an order of magnitude greater numbers ('https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html') in Google Play. Your position seems to be that Apple has no right to market its more secure App Store as more secure unless is can guarantee zero exploits. Sure, bad stuff can get through, but if your main concern is the safety of offerings, you'll pick the App Store over Google Play every time. Inversely, Google isn't absolved of dealing with appsec just because they don't advertise it as an asset.
I'm not sure why apple can't advertise ios as safe, given the millions of apps in the app store, some small percentage have vulnerability issue. Absolute security is not a destination it's a process. In the same way a 5 start auto rating by NHTSA does not mean no deaths in accidents for that vehicle.

On another note, I'm going to start using LTE more instead of wifi.
Score: 1 Votes (Like | Disagree)
Kabeyun Avatar
Kabeyun
117 months ago
I'm not sure why apple can't advertise ios as safe, given the millions of apps in the app store, some small percentage have vulnerability issue. Absolute security is not a destination it's a process. In the same way a 5 start auto rating by NHTSA does not mean no deaths in accidents for that vehicle.

On another note, I'm going to start using LTE more instead of wifi.
I knew there was a better car analogy somewhere!

Cellular is better, at least compared to open WiFi, but get a respected VPN service if you take security seriously.
Score: 1 Votes (Like | Disagree)
Bokito Avatar
Bokito
117 months ago
This is pretty insane. Banking apps without (proper) TLS connection? You've gotta be ******** me.

In the western world banks (or other companies using sensitive data) would immediately be penalized for not securing their users data (and would likely lose a whole lot of customers).
Score: 1 Votes (Like | Disagree)
Read All Comments

Popular Stories

airpods pro 3 purple

New, Higher End AirPods Pro Coming This Year

Tuesday January 20, 2026 9:05 am PST by
Apple is planning to debut a high-end secondary version of AirPods Pro 3 this year, sitting in the lineup alongside the current model, reports suggest. Back in September 2025, supply chain analyst Ming-Chi Kuo reported that Apple is planning to introduce a successor to the AirPods Pro 3 in 2026. This would be somewhat unusual since Apple normally waits around three years to make major...
Read Full Article104 comments
smaller dynamic island iphone 18 pro Filip Vabrous%CC%8Cek

iPhone 18 Pro Leak: Smaller Dynamic Island, No Top-Left Camera Cutout

Tuesday January 20, 2026 2:34 am PST by
Over the last few months, rumors around the iPhone 18 Pro's front-panel design have been conflicted, with some supply-chain leaks pointing to under-display Face ID, reports suggesting a top-left hole-punch camera, and debate over whether the familiar Dynamic Island will shrink, shift, or disappear entirely. Today, Weibo-based leaker Instant Digital shared new details that appear to clarify the ...
Read Full Article57 comments
iOS 27 Mock Quick

iOS 27 Will Add These 8 New Features to Your iPhone

Sunday January 18, 2026 3:51 pm PST by
iOS 27 is still many months away, but there are already plenty of rumors about new features that will be included in the software update. The first beta of iOS 27 will be released during WWDC 2026 in June, and the update should be released to all users with a compatible iPhone in September. Bloomberg's Mark Gurman said that iOS 27 will be similar to Mac OS X Snow Leopard, in the sense...
Read Full Article106 comments
14 inch MacBook Pro Keyboard

MacBook Pro Buyers Now Facing Up to a Two-Month Wait Ahead of New Models

Sunday January 18, 2026 6:50 pm PST by
MacBook Pro availability is tightening on Apple's online store, with select configurations facing up to a two-month delivery timeframe in the United States. A few 14-inch and 16-inch MacBook Pro configurations with an M4 Pro chip are not facing any shipping delay, but estimated delivery dates for many configurations with an M4 Max chip range from February 6 to February 24 or even later. At...
Read Full Article87 comments
Apple Logo Spotlight

Apple Expected to Unveil Five All-New Products This Year

Wednesday January 21, 2026 10:54 am PST by
In addition to updating many of its existing products, Apple is expected to unveil five all-new products this year, including a smart home hub, a Face ID doorbell, a MacBook with an A18 Pro chip, a foldable iPhone, and augmented reality glasses. Below, we have recapped rumored features for each product. Smart Home Hub Apple home hub (concept) Apple's long-rumored smart home hub should...
Read Full Article63 comments