Tuesday, 7 February 2017

On 23:18 by admin   No comments
Dozens of iOS mobile banking, medical and other applications handling sensitive user information are vulnerable to man-in-the-middle attacks where TLS traffic can be intercepted.
IOS mobile banking dozens of medical and other applications to deal with sensitive information users, are vulnerable to man-in-the-middle attacks, TLS traffic can be intercepted.
Of the 76 apps analyzed by Sudo Security Group, 19 are considered high-risk where financial or medical credentials, or authentication tokens, could be siphoned off by an attacker on the local network.
76 applications that are analyzed by sudo's security group are considered to be high-risk financial or medical certificates or authentication tokens that can be passed over an attacker on the local network.
Related Posts
related articles
Those applications were not named by the researchers, who this weekend began notifying the affected developers. CEO Will Strafach told Threatpost that the apps contain networking code that accepts self-signed certificates, a feature likely left in by developers for debugging. The apps, in Turn, will accept any self-signed cert and allow an attacker to present their own cert into a traffic stream and redirect supposedly secure data their way. He has named all of the low-risk apps affected in a report published yesterday; those considered at Medium- and high-risk will have between 60 and 90 days to remediate before they are publicly identified, Strafach said.
These applications are not named for the researchers, who this week began to notify the affected developers. Chief Executive Officer Will Strafach tells Threatpost that the application contains network code that accepts self-signed certificates, a feature that may remain in the developer's debug. In an open application, you can accept any self-signed certificate that allows attackers to present their own certificates for traffic flow and redirect their so-called security data. He called all of the effects of a low-risk application published yesterday in a report; the medium-and high-risk considerations will make the day's fixes publicly available, Strafach said.
"An attacker can self-sign their own cert, set up a man-in-the-middle proxy tool and have it present their custom cert and man-in-the-middle any connection nearby," Strafach said. I have is that app developers put in the code so they can internal test apps on staging servers. Internal servers are not on the public network, so they need to use a self-signed cert and I guess they did not remove the code. "
Strafach stressed that this is not something Apple can fix without breaking the security already present in a lot of the apps. For example, some custom apps work behind the firewall and use self-signed certs that are pinned to a trusted internal set of certificates Or public keys. Apple's App Transport Security feature, introduced in iOS 9 and forces apps to connect over HTTPS, would be ineffective against this misconfiguration, Strafach said. ATS would see the TLS certificate, consider these connections as valid TLS connections, and put certificate Validation in the app's hands.

Strafach stressed that this is the central ministries, said Internet executives need to ensure that user information security, or lead to personal information security and privacy protection of accelerated legislation.
Of the 76 apps analyzed (a combined 18 million downloads), 33 are considered low risk, Strafach said, because most of the data at risk is device data or a limited set of personal information. Two-dozen others are a medium risk and 19 Are high risk, he said, personally confirming the ability to intercept credentials or session tokens for authenticated users.
76 analysis of applications is considered low risk, Strafach said, because most of the data in the risk device data or a limited set of personal information. He said, is a medium risk is a high-risk, personal identification to intercept authentication or session token authentication of the user's ability.
"This is really a thing developers need to make sure they get right. If Apple blocks this, it would cause more problems and leave apps less secure," Strafach said. "Developers need to be careful with the level of code they're putting In apps. If they're using self-signed certificates to test apps, if they're not careful to remove this code it poses a great risk to users.
Wi-Fi in situations where sensitive information is being sent over a public network since most of these attacks will happen over Wi-Fi, he said. Strafach said the vulnerability is still present over a cellular network, but Attacks are much more complicated and expensive than over Wi-Fi, lessening the risk.
He said users can turn off Wi-Fi by sending sensitive information over the public network to avoid compromise, as most of these attacks occur over Wi-Fi. Strafach said that the fragility of a cellular network still exists, but the attacks are more complex and costly than Wi-Fi, reducing the risk.
"The fix might be just changing one line, or few lines of code," Strafach said. "Overall it boils down to making sure you do not have debug code working in a production app."
Through phishing e-mail infiltration target organizations in key employees, such as executives, access to confidential e-mail content and computer remote control permissions to further launch attacks on other key personnel, access to critical system access, and then steal information.


Post a comment