Remember back when 1,500 vulnerable apps was a big deal? How about 25,000+ apps? There’s another AFNetworking SSL flaw in apps that exposes user data to any attacker with a $50 certificate.
We began auditing the AFNetworking SSL code after the previous vulnerability was announced. Version 2.5.1 would accept self-signed certificates (pretty much game over for your users’ data). It was released for only 6 weeks, and yet 1,500 apps+ were affected.
A few weeks ago, we found that version 2.5.2 did fix this issue, but there was
another flaw nearby in the same code. Domain name validation could be enabled
validatesDomainName flag, but it was off by default. It was only
enabled when certificate pinning was turned on, something too few developers
This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet. Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50.
We were surprised to see this bug in 2.5.2, and doubly so when we realized this issue had already been reported and fixed the day after the previous SSL flaw was fixed, but no one seemed to have noticed that it had been left out of the 2.5.2 release. (Credit goes to Ivan Leichtling for being the first one to report this flaw).
We notified our customers and contacted the developer. He released the updated version 2.5.3 earlier this week. If you are using AFNetworking (any 2.x version), you must upgrade to 2.5.3 or newer. Also, you should enable public key or certificate-based pinning as an extra defense. Neither of these game-over SSL bugs affected apps using pinning.
This also shows that a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores. Developers need to track the code in their apps to be sure patches aren’t lost along the way. Our Searchlight service can help you do just that, giving you immediate info on flaws that affect your apps.
We’ve updated Searchlight to show which apps are still vulnerable, and we’ll continue to publish new results there as affected apps are updated. If you’re a mobile developer, please sign up now to get notices when SourceDNA finds security issues that affect your apps.