76 Popular Apps Confirmed Vulnerable to Silent Interception of TLS-Protected Data
During the development of our web-based mobile app analysis service verify.ly, it was essential to have a clear understanding of the most common security issues which plague mobile applications today. Automatically scanning the binary code of applications within the Apple App Store en-masse allowed us to get a vast amount of information about these security issues.
I will present some findings within this post which I believe to be in the public interest, related specifically to iOS applications which are vulnerable to silent interception of (normally) TLS-protected data while in use. Our system flagged hundreds of applications as having a high likelihood of vulnerability to data interception, but at this time I will be posting details of the connections and data which I was able to fully confirm as vulnerable using a live iPhone running iOS 10 and a “malicious” proxy to insert an invalid TLS certificate into the connection for testing.
UPDATE: A follow up has been posted here.
- During the testing process, I was able to confirm 76 popular iOS applications allow a silent man-in-the-middle attack to be performed on connections which should be protected by TLS (HTTPS), allowing interception and/or manipulation of data in motion.
- According to Apptopia estimates, there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to be affected by this vulnerability.
- For 33 of the iOS applications, this vulnerability was deemed to be low risk (All data confirmed vulnerable to intercept is only partially sensitive analytics data about the device, partially sensitive personal data such as e-mail address, and/or login credentials which would only be entered on a non-hostile network).
- For 24 of the iOS applications, this vulnerability was deemed to be medium risk (Confirmed ability to intercept service login credentials and/or session authentication tokens for logged in users).
- For 19 of the iOS applications, this vulnerability was deemed to be high risk (Confirmed ability to intercept financial or medical service login credentials and/or session authentication tokens for logged in users).
- The App Transport Security feature of iOS does not and cannot help block this vulnerability from working.
- Within the “Solving the Problem” section, I present a simple short-term mitigation to this vulnerability class which any end user will be able to make use of.
Explaining the Risk
There are many potential avenues along the network path for this vulnerability class to be exploited in order to intercept and/or manipulate data. While it is certainly possible for an ISP or a rogue Wi-Fi provider to be the attacker, that is unlikely in most Western regions, and is not considered to be a serious risk. With regards to this sort of man-in-the-middle attack, a common analogy makes a reference to using the Wi-Fi connection within a coffee shop, or an airport, but lately I am starting to dislike the analogy as it is easy to misunderstand and minimize the perceived potential for attack. The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range. Such an attack can be conducted using either custom hardware, or a slighly modified mobile phone, depending on the required range and capabilities. The best similar and well-understood form of attack to this would be the ability to read data from credit cards at a close range.
Vulnerable Applications (Low Risk)
This is a listing of iOS applications which are vulnerable to this attack, but pose a low risk to end users if data is intercepted. Additionally included are iOS applications which have already been publicly disclosed as vulnerable.
- ooVoo — Free Video Call, Text and Voice: Username and Password are vulnerable to interception. This was also documented in 2013 by Nick Arnott.
- VivaVideo — Free Video Editor & Photo Movie Maker: OS Version, Device Model, and Search Queries are vulnerable to interception.
- Snap Upload for Snapchat — Send Photos & Videos: Snapchat Username and Password are sent to “sc.apparser.com” and are vulnerable to interception. We have noted similar behavior in March 2016 within iOS apps which contain the same functionality.
- Uconnect Access: Username, Pandora Username/Password (during initial setup), and Slacker Radio Username/Password (during initial setup) are vulnerable to interception. The Login API is confirmed to properly validate certificates, so it is unlikely that an attacker could utilize this vulnerability to cause any problems for your vehicle.
- Volify — Free Online Music Streamer & MP3 Player: OS Version, Device Model, Cellular Network Name, and Battery Information are vulnerable to interception.
- Uploader Free for Snapchat — Quick Upload Snap from Camera Roll: This contains most of the same code as the above “Snap Upload for Snapchat — Send Photos & Videos” application albeit with a slightly different user interface. The same data is vulnerable to interception.
- Epic! — Unlimited Books for Kids: Encryption keys are vulnerable to interception. There is likely to be no adverse effects for the end user arising from interception, as the keys are highly likely to be DRM related.
- Mico — Chat, Meet New People: E-Mail Address and OS version are vulnerable to interception.
- Safe Up for Snapchat — Quick Upload photos and videos from your camera roll: Snapchat Username and Password are sent to “api.uapptrack.com” and are vulnerable to interception.
- Tencent Cloud: Analytics information (obfuscated) is vulnerable to interception.
- Uploader for Snapchat — Quick Upload Pics & Videos to Snapchat: This contains most of the same code as the above “Snap Upload for Snapchat — Send Photos & Videos” application albeit with a slightly different user interface. The same data is vulnerable to interception.
- Huawei HiLink (Mobile WiFi): OS Version and Device Model are vulnerable to interception.
- VICE News: OS Version, Device Model, and First-Party API Calls are vulnerable to interception.
- Trading 212 Forex & Stocks: Username is vulnerable to interception. The Login API is confirmed to properly validate certificates, so password is not vulnerable to interception.
- 途牛旅游-订机票酒店火车票汽车票特价旅行: OS Version, Device Model, Wi-Fi Network Name, and Wi-Fi Network BSSID are vulnerable to interception.
- CashApp — Cash Rewards App: OS Version and Cellular Network Name are vulnerable to interception.
- [Clone of legitimate service] (Removed from App Store as of 7 Feb 2017): OS Version, Device Model, Mobile Network Code, and Mobile Country Code are vulnerable to interception. (Update: This application was misusing the trademark of a legitimate service of which it has no relation to — The name has been removed to avoid confusion).
- 1000 Friends for Snapchat — Get More Friends & Followers for Snapchat: This contains most of the same code as the above “Safe Up for Snapchat — Quick Upload photos and videos from your camera roll” application albeit with a slightly different user interface. The same data is vulnerable to interception.
- YeeCall Messenger-Free Video Call&Conference Call: E-Mail Address and Phone Number are vulnerable to interception.
- InstaRepost — Repost Videos & Photos for Instagram Free Whiz App: Analytics information (obfuscated) is vulnerable to interception.
- Loops Live: Mobile Network Code and Mobile Country Code are vulnerable to interception.
- Privat24: OS Version and Device Model are vulnerable to interception. The Login API is confirmed to properly validate certificates, so password is not vulnerable to interception.
- Private Browser — Anonymous VPN Proxy Browser: Facebook Analytics Data and First-Party API Calls are vulnerable to interception. The payloads of API calls appear to be obfuscated, it is possible that further data can be found here.
- Cheetah Browser: OS Version, Device Model, GPS Location, and Autocomplete keystrokes (Google + Baidu) are vulnerable to interception.
- [Libyan Banking Application]: Generic API calls (Such as ATM Locator) are vulnerable to interception. No “Login” functionality could be located within this application, therefore ability to intercept login credentials remains unclear. (Update: The Deputy Chairman of this bank has informed me that the assessed version of this application is old, and will soon be removed from the App Store. The new application can be found here. We have not yet assessed the new application. The application name has been removed from this list to avoid confusion by users).
- FirstBank PR Mobile Banking: App version check API call is vulnerable to interception. The Login API is confirmed to properly validate certificates, so password is not vulnerable to interception.
- vpn free — OvpnSpider for vpngate: VPN Server List and VPN Server Information is vulnerable to interception and manipulation.
- Gift Saga — Free Gift Card & Cash Rewards: OS Version, Device Model, Mobile Network Code, and Mobile Country Code are vulnerable to interception.
- Vpn One Click Professional: VPN Server List, VPN Server Information, and direct “Mobileconfig” download links are vulnerable to interception and manipulation.
- Music tube — free imusic playlists from Youtube: Video List and Search Queries are vulnerable to interception.
- AutoLotto: Powerball, MegaMillions Lottery Tickets: API calls (such as retrieval of drawing dates/times) are vulnerable to interception.
- Foscam IP Camera Viewer by OWLR for Foscam IP Cams: API calls are vulnerable to interception.
- Code Scanner by ScanLife: QR and Barcode Reader: OS Version, Device Model, Mobile Network Code, Mobile Country Code, and Beacon List are vulnerable to interception.
Vulnerable Applications (Medium and High Risk)
Please see this follow up post.
This class of vulnerability has been an issue in the past for various noteworthy iOS applications. Gathering information via open source, I was able to find 26 total instances over the past few years. To my knowledge, the mentioned apps are likely to be fixed, unless otherwise noted (This is an assumption based on timeframe, but they were not part of this assessment so I have not 100% confirmed).
- ShoreTel Mobility Client for iOS (2017)
- ThreatMetrix SDK for iOS (2017)
- Experian (2016)
- myFICO (2016)
- Trend Micro Mobile Security for iOS (2016)
- U by BB&T (2016)
- Citrix iOS Receiver (2016)
- Kaspersky Safe Browser (2016)
- Dell SecureWorks (2016)
- Duo Mobile (2015)
- 14 iOS applications documented by Nick Arnott (2013)
- Cisco WebEx (2012)
- PayPal (2010)
Solving the Problem
This class of vulnerability poses a complex problem, as application developers are the only ones who can fully mitigate it. It is derived from networking-related code within iOS applications being misconfigured in a highly unfortunate manner. Due to this, Apple’s “App Transport Security” mechanism will see the connection as a valid TLS connection, as it must allow the application to judge the certificate validity if it chooses to do so. There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.
- End Users: There is a short term trick which can be used to mitigate this type of vulnerability. The vulnerability is very likely to only be exploited if your connection is flowing over Wi-Fi (whether you’ve joined a public Wi-Fi network, or a determined attacker has force-joined your mobile device onto a rogue network without your knowledge). Therefore, if you are in a public location and need to perform a sensitive action on your mobile device (such as opening your bank app and checking your account balance), you can work around the issue by opening “Settings” and turning the “Wi-Fi” switch off prior to the sensitive action. While on a cellular connection the vulnerability does still exist, cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the United States). Therefore, it is much less plausable for an attacker to risk attempting to intercept a cellular data connection.
- Companies: If you offer an application in the iOS App Store, consider analyzing builds prior to App Store submission using our verify.ly service. This class of vulnerability and all other possible “low hanging fruits” (vulnerabilities discoverable to a determined attacker who commits 24 hours total analysis time) can be fully detected by performing an automated scan of the binary code and giving you an easy to read report outlining any and all flagged issues, ensuring your customer data is safe.
- Developers: Be extremely careful when inserting network-related code and changing application behaviors. Many issues like this arise from an application developer not fully understanding the code they’ve borrowed from the web.
As mentioned earlier, this will be revisited in 60 to 90 days to document responses from affected companies and application fix timelines. Investigation of more applications may also occur, due to hundreds of applications being flagged as being vulnerable (with high confidence), but this would depend on public interest.
If you have any questions, feel free to reach out to me via Twitter (@chronic).
If you need any sort of mobile application research conducted which requires mass analysis of many applications to retrieve data and/or answer a question, e-mail would be the best way to get in touch (firstname.lastname@example.org).