SECURITY experts have identified a new flaw found in dozens of popular iPhone apps that could let hackers gain access to your sensitive data including banking details.
Infosec expert Will Strafach has published a blog post warning that a scan of popular apps on the Apple App Store had found 76 apps vulnerable to attack, with a “backdoor” which would allow a hacker to carry out “man in the middle” attacks that let them access the data being sent from the phone to the cloud.
The blog post names 33 apps that are vulnerable to attack, including a banking app called FirstBank PR Mobile Banking and the Uconnect Access app that lets people locate their car and remotely unlock it.
The apps named in the blog post today are considered low risk, but Strafach warns there are 43 apps that are high or medium risk of being hacked which will be named in a few weeks after the app developers have been given the chance to fix the flaw.
Strafach said the security hole “is derived from networking-related code within iOS applications being misconfigured in a highly unfortunate manner”.
Several of the apps on the list released today are add-on apps for Snapchat users, including apps to upload photos and videos to Snapchat and apps for increasing Snapchat contacts. Another app, called Epic!, promises “unlimited books for kids”.
Mr Strafach said the type of flaw meant Apple was not able to issue a widespread fix, because to address the problem in that way would make the apps more vulnerable to attack.
“The onus rests solely on app developers themselves to ensure their apps are not vulnerable,” he said.
The blog post contains the full list of apps named and shamed so far.
Mr Strafach says the bad design was mainly a problem when the phone was connected to a wi-fi network.
“If you are in a public location and need to perform a sensitive action on your mobile device (such as opening your bank app and checking your account balance), you can work around the issue by opening “Settings” and turning the “Wi-Fi” switch off prior to the sensitive action,” he said.
“While on a cellular connection the vulnerability does still exist, cellular interception is more difficult, requires expensive hardware, is far more noticeable, and it is quite illegal (within the United States).
“Therefore, it is much less plausible for an attacker to risk attempting to intercept a cellular data connection.”