Researcher: iOS Apps Are Handling TLS Certificates Incorrectly

by Developer.com Staff

Mobile development firms should double-check their use of encryption to make sure they are safeguarding user data.

Will Strafach, CEO of Sudo Security Group, says that he has found 76 iOS apps that are handling Transport Layer Security (TLS) certificates improperly, potentially allowing attackers to intercept user data. He says that some of the apps belong to "banks, medical providers, and other developers of sensitive applications." In all, the vulnerable apps have been downloaded 18 million times.

Apple requires mobile development firms to encrypt data using TLS, but Strafach says same apps are accepting invalid TLS certificates. Strafach is attempting to contact the developers involved in order to help them update their code. "Be extremely careful when inserting network-related code and changing application behaviors," he warned. "Many issues like this arise from an application developer not fully understanding the code they’ve borrowed from the web."

View article

This article was originally published on Tuesday Feb 7th 2017
Mobile Site | Full Site