Nokia’s not the only one finding itself in hot water over encrypted mobile connections lately, and now a number of iOS apps are under fire for their lackadaisical security policies.
SSL is all about the chain of trust, and there’s a small group of entities that act as trusted Certificate Authorities, certifying that the sites you connect to over SSL are run by whom they say they are. If you try to connect to a site that has SSL credentials not issued by one of these trusted CAs, Safari alerts you to that effect, as right it should, as that could be a sign of an attempt to hijack your connection.
While iOS has a list of trusted CAs built-in, it’s been discovered that some apps simply ignore this list, and will accept certificates from any CA (including malicious ones) without alerting the user. With a little effort, an attacker could take advantage of users connecting to an open WiFi access point to spoof the identity of the server these apps connect to, stealing your data in the process.
So far, Credit Karma, Fandango, Cinemagram, Flickr, eFax, WebEx, TD Ameritrade, E*TRADE, Monster, H&R Block, ooVoo, Match.com, PAYware (by Verifone), EVERPay Mobile POS, and Learn Vest have all been identified as being vulnerable to such an attack. Some are already working on fixes, but others remain susceptible.