Dozens of iOS apps that are supposed to be encrypting their users‘ data don’t do it properly, according to a security vendor.
Will Strafach, CEO of Sudo Security Group, said he found 76 iOS apps that are vulnerable to an attack that can intercept protected data.
The developers of the apps have accidentally misconfigured the networking-related code so it will accept an invalid Transport Layer Security (TLS) certificate, Strafach claimed in a Monday blog post.
TLS is used to secure an app’s communication over an internet connection. Without it, a hacker can essentially eavesdrop over a network to spy on whatever data the app sends, such as login information.
“This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use,” Strafach said. “This can be anywhere in public, or even within your home if an attacker can get within close range.”
Strafach discovered the vulnerability in the 76 apps by scanning them with his company-developed security service, verify.ly , which he’s promoting. It flagged “hundreds of applications” with a high likelihood of data interception.