iOS Apps Called-Out For Poor SSL Security


Nokia’s not the only one finding itself in hot water over encrypted mobile connections lately, and now a number of iOS apps are under fire for their lackadaisical security policies.

SSL is all about the chain of trust, and there’s a small group of entities that act as trusted Certificate Authorities, certifying that the sites you connect to over SSL are run by whom they say they are. If you try to connect to a site that has SSL credentials not issued by one of these trusted CAs, Safari alerts you to that effect, as right it should, as that could be a sign of an attempt to hijack your connection.

While iOS has a list of trusted CAs built-in, it’s been discovered that some apps simply ignore this list, and will accept certificates from any CA (including malicious ones) without alerting the user. With a little effort, an attacker could take advantage of users connecting to an open WiFi access point to spoof the identity of the server these apps connect to, stealing your data in the process.

So far, Credit Karma, Fandango, Cinemagram, Flickr, eFax, WebEx, TD Ameritrade, E*TRADE, Monster, H&R Block, ooVoo,, PAYware (by Verifone), EVERPay Mobile POS, and Learn Vest have all been identified as being vulnerable to such an attack. Some are already working on fixes, but others remain susceptible.

Source: Neglected Potential
Via: iMore

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!