sciencetech-blog

comments

If you're an iPhone or iPad owner, your encrypted passwords, bank details and other private details may be at risk from hackers.

Estimates suggest around 1,000 iOS apps are vulnerable to a flaw in connectivity software from AFNetworking. 

This includes Uber, Microsoft's OneDrive and Movies by Flixster and the flaw leaves any information, even if its sent over a seemingly secure Https connection, potentially open to hackers.

Search for apps below 

Estimates from security researchers suggest around 1,000 iOS apps are vulnerable to a flaw in connectivity software from AFNetworking. This includes Uber, Microsoft's OneDrive and Movies by Flixster. Use the tool above to see if your favourite apps are vulnerable to the flaw

It was first reported at the end of last month by security researchers Simone Bovi and Mauro Gentile and specifically applies to version 2.5.1 of AFNetworking. 

The flaw was active between 24 January until it was flagged up on 25 March.  

The day the flaw was announced, and subsequently patched, there were said to be 20,000 iOS apps using the AFNetworking library and that were updated or released on the App Store after the flawed code was added.

Not all apps and developers use AFNetworking, and figures suggest the source code library features on around 100,000 apps in total.

The flaw was first reported at the end of last month by security researchers Simone Bovi and Mauro Gentile and specifically applies to version 2.5.1 of AFNetworking. The Uber app is shown left and its vulnerability report, taken from SourceDNA's online tool is shown right

The security researchers are asking readers to highlight any apps still at risk in the comments on its blog post. At the time of writing, Microsoft's OneDrive (vulnerability report is pictured) is still at risk, as is Citrix OpenVoice Audio Conferencing and Alibaba.com

Within the 20,000 potentially vulnerable apps, security experts at SourceDNA found that 55 per cent were running version 2.5.0 older. 

Some 40 per cent were not using the section of the library that applied to secure connections, leaving 5 per cent, or around 1,000 apps, at risk. 

SourceDNA has continued to monitor these apps and created a search tool to let developers - and phone users - check to see if their apps and devices are at risk. 

The security researchers are asking readers to highlight any apps still at risk in the comments on its blog post. 

At the time of writing, Microsoft's OneDrive is still at risk, as is Uber, Citrix OpenVoice Audio Conferencing and Alibaba.com. 

'It amazes us that an open-source library that introduced a security flaw for only six weeks exposed millions of users to attack,' said SourceDNA in the post.

'As apps continue to be patched and released, we'll keep you informed as to how quickly developers are addressing this major flaw. 

'We've already seen some good uptake of the fixed 2.5.2 version in the latest versions of vulnerable apps - kudos to Yahoo for quickest patch - but some are still in the App Store review queue.'