Third flaw discovered in AFNetworking SSL library

AFNetworking, the SSL library that is incorporated into thousands of iOS and iPad apps, is back in the news again – for all the wrong reasons.

The SourceDNA blog is reporting that it's discovered another flaw in the code which has necessitated the release of version 2.5.3, just days after 2.5.2 was released to fix bugs in 2.5.1.

SourceDNA says:

Remember back when 1,500 vulnerable apps was a big deal? How about 25,000+ apps? There's another AFNetworking SSL flaw in apps that exposes user data to any attacker with a US$50 (£32) certificate.

We began auditing the AFNetworking SSL code after the previous vulnerability was announced. Version 2.5.1 would accept self-signed certificates (pretty much game over for your users' data). It was released for only six weeks, and yet 1,500 apps+ were affected.

A few weeks ago, we found that version 2.5.2 did fix this issue, but there was another flaw nearby in the same code. Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using.

Apps were immune to this flaw if they had enabled pinning.

This opens apps to attacks by coffee shop hackers who can eavesdrop on private data or control SSL sessions between the app and the Internet. “Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server, something you can buy for US$50,” SourceDNA wrote.

It's surprising to see this bug in 2.5.2, they said, because the flaw had been reported and fixed in version 2.5.1 but omitted from 2.5.2.

SourceDNA gives credit to Ivan Leichtling at Yelp Engineering for being the first to report it. It recommends immediately updating your apps to 2.5.3 and enabling public key or certificate-based pinning as an extra defence.

The saga of AFNetworking demonstrates that “a bug is not truly fixed until it has made it into a release and into your apps and out to the app stores. Developers need to track the code in their apps to be sure patches aren't lost along the way,” SourceDNA said.

Security experts SC spoke to in regard to the previously reported flaws (http://www.scmagazineuk.com/ssl-flaw-puts-thousands-of-ios-apps-at-risk/article/411226/) said that the validation of third-party code was a real challenge to the software industry.