![\"rotten-apple-image\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/02\/rotten-apple-image.jpg\")
<\/p>\n<\/p>\n
<\/p>\n
There’s something rotten in the state of Apple security.<\/p>\n
In recent weeks the company has seen its products bedevilled with security flaws, said it’s too hard<\/a> to patch users running vulnerable, older versions of its software, and when it has released a security patch for at least some of its at-risk users\u2014seen it fail abysmally<\/a> to protect against the problem it was supposed to defend.<\/p>\n Meanwhile, against this backdrop, Cupertino has been banning legitimate anti-virus apps<\/a> from the iOS app store\u2014apparently on a whim.<\/p>\n Can things get worse?<\/p>\n Well, apparently they can.<\/p>\n Now news reaches us that some 1,500 approved apps in the so-called “walled garden,” famously vetted vigorously by Apple, have been found to contain a serious vulnerability that could be exploited by hackers to spy on communications, steal passwords and bank account information.<\/p>\n The problem, according to a blog post<\/a> by security analytics firm SourceDNA, lies in AFNetworking, a popular open-source library used by developers to give their apps networking capabilities.<\/p>\n Unfortunately, a version (2.5.1) of AFNetworking was released in January that contained a serious vulnerability that could allow malicious hackers to launch man-in-the-middle attacks, busting wide open HTTPS\/SSL traffic for interception.<\/p>\n In other words, if you have an app on your iPad or iPhone that uses AFNetworking 2.5.1, any communications you make using that app\u2014including your passwords or private conversations\u2014could be stolen.<\/p>\n AFNetworking was patched in late March<\/a>, but that’s no good to you if the at-risk apps you are running on your iOS device have not been recompiled using the new fixed version of the library.<\/p>\n Even if you have updated at-risk apps since AFNetworking was fixed in late March, that’s no guarantee that the apps on your smartphone are now secure and\u2014of course\u2014there’s no way to be 100% certain that anything you did with vulnerable apps since January might not have fallen into the hands of hackers.<\/p>\n So, you probably have some questions…<\/p>\n What apps are vulnerable?<\/strong> It’s also worth bearing in mind that any list is likely to change, as app developers produce new versions including the fixed AFNetworking library.<\/p>\n So how am I supposed to tell if I’m at risk?<\/strong> If I have a vulnerable app on my iPhone or iPad, does that mean that the entire device is exposed?<\/strong> I thought Apple was supposed to be really rigorous about vetting apps, and meant to stop apps that might endanger me from getting into the App Store?<\/strong> So what is Apple going to do about it?<\/strong> How about they remotely remove any vulnerable apps from users’ iPhones and iPads?<\/strong> Well, yes. They could do that, and it could be argued that from the security and privacy point of view that might be the correct course of action. However, it sure sounds inconvenient and would probably cause an uproar amongst users.<\/p>\n Okay, well how about they remove vulnerable apps from the App Store until fixed versions are available?<\/strong> Hmm. Shouldn’t Apple simply stop vulnerable apps getting into the App Store in the first place?<\/strong> Surely there’s something else that could be done to protect users from risks like this? Couldn’t you run a scanner to see if you have a dodgy app or security problem on your device?<\/strong> But, there’s a problem.<\/p>\n What’s that?<\/strong> Like I said, something is rotten in the state of Apple security.<\/p>\n","protected":false},"excerpt":{"rendered":" Things have recently gone rotten in the state of Apple security. Can things get any worse?<\/p>\n Unfortunately, it seems, yes they can.<\/p>\n","protected":false},"author":34,"featured_media":10913,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[7,5],"tags":[2164,3151,69,106],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n
\nSourceDNA says that some apps from big name companies were affected, including Yahoo, Microsoft, Uber, and Citrix. However, no definitive list of affected apps has yet been released in an attempt to avoid real-life attacks.<\/p>\n
\nSourceDNA has produced an online search facility<\/a> where you can enter an app vendor, and find out whether their product is vulnerable and if a fixed version has been released.<\/p>\n![\"Vulnerable](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2015\/04\/citrix.jpeg\")
<\/p>\n
\nNot at all. This isn’t a problem with iOS. This is a problem with a code library which might be in some of your apps. Only activity you have inside those apps might be at risk. Which is something, I suppose.<\/p>\n
\nYes, you thought correctly. In this instance, they failed. In their defence, their current testing methodology might not be extensive enough to pick up these kind of flaws.<\/p>\n
\nWhat would you like them to do?<\/p>\n
\nAhh. The nuclear option.<\/p>\n
\nAgain, that might be an option. But I can still see how that may prove unpopular with both users and app developers\u2014some of whom might say they’re not concerned about the theoretical risk and are happy to take their chances until a fixed version of the app is available.<\/p>\n
\nI’m with you there! That would be nice, wouldn’t it? But it’s not really possible to do that with 100% precision – and delays in vetting would no doubt cause unrest amongst developers and users too.<\/p>\n
\nYou mean a bit like anti-virus software does on your Mac or PC? Yes, that might be a good idea for iPads and iPhones too. After all, that’s what you can do on Android which, to be fair, suffers much more from malicious attacks than iOS.<\/p>\n
\nApple doesn’t very much like the idea of anti-virus vendors writing products for iOS. In fact, it bans even ones with basic functionality<\/a> from the App Store\u2014let alone the kind of sophisticated functionality that security firms would love to build into them.<\/p>\n