The security officer examined the characteristics of applications in the App Store and found that some were merely imitating protection. According to experts Sudo Security Group, dozens of programs that encrypt user information, do it improperly.
As reported by Securitylab, the head of Sudo Security Group will Strafaci found 76 applications for iPhone, iPod touch and iPad that are vulnerable to attack allowing to intercept data.
Strafaci argues that because of errors associated with the data transfer program code can accept invalid TLS certificates. TLS is used to protect the data transmitted by the application through an Internet connection. Without it, a hacker can monitor the traffic and intercept any data of interest, for example, logins and passwords.
“Such attacks can carry anyone in range of a Wi-Fi network, while you use your device. Attack is possible in public places or even at your home if the attacker manages to get close enough,” – said in Sudo Security Group.
Strafaci found the problem in 76 iOS apps by scanning them with the help of developed company service verify.ly. The researcher tested the vulnerable program on the iPhone that are running iOS 10. Using a proxy server, the expert has successfully introduced to the connection invalid TLS certificate.
The expert says that 43 of the 76 mobile development represent a high and medium level of risk because an attacker could intercept they transmit usernames, passwords and tokens. The remaining 33 applications are less of a threat because they allow you to intercept only the email address.
A total of 76 of the studied apps have been downloaded from the store Apptopia 18 million times. Strafaci did not disclose the names of programs, however, have already notified their creators about the problem.