AFNetworking, an open-source library which can provide networking capabilities for iOS and OS X apps, has been shown to be vulnerable to two different types of attacks, one of which is a result of a bug and the other because of a default setting that would prevent the app from checking the origins of digital certificates.
As a consequence, iPhone and iPad apps using the AFNetworking framework have been left potentially vulnerable to man-in-the-middle attacks, allowing attackers to intercept encrypted data over wireless networks.
The flaw was first reported via github.com user forums on 13 February. On 6 March, security researchers discovered the flaw independently and diagnosed the cause of the problem. A patched library, version 2.5.2, was released on 26 March. However, it is estimated that 1,500 apps continue to use version 2.5.1 or earlier, leaving users potentially vulnerable to attack.
The bug was caused by a logical flaw that cancelled out SSL certificate validation. According to security researchers, Simone Bovi and Mauro Gentile, who wrote about it on the Minded Security blog, the flaw was introduced in late January in version 2.5.1.
According to consultant Sarb Sembhi at Storm Guidance, the bug allows an attacker to intercept communications using any digital certificate as long as it is a legitimate certificate, as the code fails to check whether the certificate is for the domain name you are visiting.
“Within the code, in this third party library, it is not checking to see if the certificate is correct,” Sembhi told SCMagazineUK.com. “This is something that you might do if you were testing code, otherwise it's an error.”
He said it was a regrettable that the mistake has been incorporated in around 1,500 apps but given the industry's reliance on software libraries to facilitate agile development, he's not surprised that it has happened again.
“What's unusual is that in this case is that it was a very simple check that was left unperformed,” he said.
Rob Bamforth, principal analyst at Quocirca, told SC that one of the challenges of software engineering is the use of third-party and open-source libraries for security.
“With software vendors using open source libraries, you are outsourcing some of your trust as well as your effort. In theory it's open source so it's more widely poked and looked at,” Bamforth said.
Now that AFNetworking has been patched, the updates will hopefully roll out to mobile users quickly, he said.
However, he points out that for secure apps, this will be just one layer in the overall security system. “At the end of the day, if it's an app like banking then your last layer of protection is the insurance policy that your bank offers you.”
He doubted that the security flaw would cause many developers to reconsider their use of AFNetworking. “It's likely that going elsewhere will be just as flawed, and they have already made an investment in working with the current provider,” he said.
Sarb Sembhi added: “If you follow good development practices, the developers of the toolkit would have checked this during thier product development and verified it in functionality testing. This code needs to be fixed and those developers relying on this library need to update their apps. But with the best will in the world, you are always going to have some bug that someone has not picked up. We often hear of problems in code written 20 years ago. As time goes on you should not be finding anything fundamental but it doesn't mean you won't find anything at all.”