You know there’s a security flaw hidden in over 100,000 iOS apps out of the 1.4 million total, but which ones are actually vulnerable? How would you find out?
SourceDNA is constantly scanning apps from the app stores, analyzing and indexing their binary code. This lets us search for apps by their behavior and the tools & libraries they were built with.
AFNetworking recently had a major security flaw. Due to lack of SSL cert validation, the proverbial coffee shop attacker could easily bypass SSL and see all your app’s user credentials and banking data. We decided to track down apps that were still using the vulnerable version of AFNetworking and notify their developers so they could patch the flaw.
First, we had to determine the vulnerability window. We found the AFNetworking flaw was present in the Github repo from January 24 through March 25. More importantly, it had been released as version 2.5.1 on February 12 before being fixed in version 2.5.2. Any developer who updated their app during that window could have integrated the vulnerable library.
We then uploaded three versions of AFNetworking: before, during, and after the flaw. SourceDNA created a differential fingerprint from them to find the vulnerable code. Think of this as a set of unique characteristics that were present or absent only in the targeted version and not any others before or after it. With this set of signatures, our analysis engine would tell us exactly which version of AFNetworking was in use in each app.
The limitation of differential fingerprints is that they’re too myopic. Like the Unix diff utility, they need context in order to be effective. But, point them at the right area of code, and they’ll tell you just what you need to know.
To get that context, our system first needs to find apps that contain any version of AFNetworking. Our core technology is a binary similarity engine that does exactly this. It works by building an index of a number of features of each app’s code, allowing us to quickly search for fuzzy matches for chunks of binary code.
The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.
The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.
We created a monitoring service you can use to check if your own apps are vulnerable. Try it out even if you don’t use AFNetworking. We’ll send you a software inventory showing the commercial and open-source code you’re using, and we can notify you when we find future vulnerabilities.
As apps continue to be patched and released, we’ll keep you informed as to how quickly developers are addressing this major flaw. We’ve already seen some good uptake of the fixed 2.5.2 version in the latest versions of vulnerable apps (kudos to Yahoo for quickest patch!) but some are still in the App Store review queue. We’ll publish an update here soon.