In the past week, we’ve been hard at work on new features for Searchlight. In our previous releases, we scanned for a library version that accepted self-signed certificates and others that allowed certificates with any host name.
This time, we’ve added several features to encourage secure coding. Certificate (or public key) pinning is a way of ensuring a random CA you never heard of can’t help an attacker intrude on your SSL connections. It’s great that AFNetworking has supported this feature since version 1.2.0 (over 2 years!) Using pinning would have mitigated recent issues and protects your users against rogue CAs. We’ve added a green badge to praise apps that are using pinning, like Signal and Simple Bank.
We’ve also been working to provide in-depth verification by testing select apps for SSL issues. We apply static analysis and run the apps by hand to confirm whether or not they are vulnerable. Apps that have been tested for SSL issues and confirmed to be secure also get a green badge. LinkedIn is one example of an app we verified.
With all the new features, we’ve also had to address a problem of our own. The original analysis identified the AFNetworking 2.5.0, 2.5.1, and 2.5.2 library versions using similarity analysis. However, our website displayed everything less than 2.5.0 (including the 1.x versions) as 2.5.0 (“2.x” to be exact) and flagged them as vulnerable. We apologize for the annoyance and have fixed this issue, breaking out the 1.x and 2.5.3 versions separately now.
We’re also updating our index soon to show the latest versions of apps that have been released in the past week. When that happens, you’ll see that as the “index date” change on the Searchlight home page. We’ve already increased the number of prior versions of apps it tracks.
We’ve had some questions about how to use this info. If you’re looking at a report for your apps, here’s how to interpret the badges. Each app lists the most recent updates(s) that use AFNetworking, as well as the closest matching release version of its code. We currently break out versions 1.x, 2.x, 2.5.1, 2.5.2, and 2.5.3. We focus on these because some versions of 2.x and 2.5.2 default to not validating the domain name. Version 2.5.1 accepts self-signed certificates by default.
- Uses Pinning: the app has a valid certificate resource in its bundle. This is the quickest analysis we could roll out, but it won’t detect apps who manually set their own certificate blobs.
- SSL Verified: we tested the SSL usage in the app, as well as identified that the default connection settings in the code are secure.
- Latest: app is using the latest version of AFNetworking. Great!
- Investigate: app is possibly using a version that is vulnerable by default. This may be mitigated if it also uses pinning. This flag is not a guarantee the app is vulnerable and further investigation is needed to confirm.
We hope you like these changes. We’re continuing to improve the depth of what you can find to help developers manage their apps. Future work involves identifying custom patches to the default settings and issues in Android and other libraries.
If you’re an iOS developer, please sign up to get notices when SourceDNA finds security issues that affect your apps. If you are curious about what you’re seeing or want to know how to fix an issue, drop us a line. We’re here to help!