Researchers Finds Thousands of iOS Apps Ignoring Security

  /     /     /  
Publicated : 23/11/2024   Category : security


Researchers Finds Thousands of iOS Apps Ignoring Security


A critical data encryption tool, included by default in iOS, is being turned off in more than two-thirds of popular apps.



When a computing platform has a security feature built in, why would a developer decide not to use it? A better question might be, why would more than 20,000 iOS apps be published without an Apple encryption feature thats turned on by default?
Those are among the questions researchers at Wandera sought to answer when they analyzed more than 30,000 commonly used iOS apps found in the App Store. They found that App Transport Security (ATS), a set of rules and app extensions Apple provides as part of the Swift development platform, is turned off and not used by a majority of the app developers they saw.
Michael Covington, vice president at Wandera, says researchers began looking for answers when they saw critical information being passed in the clear. The company has traditionally looked for any personally identifiable information (PII) going across the network without encryption, he says.
Apple has this framework in place that essentially should be forcing developers to encrypt anything that they sent out on the network, let alone user names, passwords, and credit card numbers, he says. So when Wandera researchers saw information flowing without encryption, they asked, How were these things making it through? Covington says. And thats what led us to ATS.
Covington says he believes many developers disable ATS because they feel it will impact app performance. Those concerns, he says, come from legacy servers and mobile devices that had very limited CPUs, but todays systems can easily handle HTTPS everywhere. 
Other developers disable ATS because they depend on ad networks for revenue from free apps. Many of those ad networks, including those from Facebook, rely on unencrypted connections.
In early versions of ATS, developers could only control the service by turning it on or off. Since iOS 10, though, developers have had the ability to turn it on and off for specific functions within the app. Still, as Wandera researchers point out in
their report
on the issue, many developers have never changed their practices to use the more granular control available for ATS.
While the original research focused on consumer apps, Covington says hes concerned about enterprise apps developed by — or for — large corporations. One of our customers in pharmaceuticals has about 500 mobile apps that they build and maintain annually, he explains. Those are the apps that are either being outsourced to third-party developers or are being built in-house where security is not the primary focus.
And yet those apps carry very sensitive data on a regular basis.
Covington says he expects to see more examples of security events that take advantage of these unencrypted apps. Until Apple or customers force developers to enable encryption for sensitive data transmission in all of their apps, it seems VPNs may be the only way corporations and consumers can be sure their PII remains private.
Related Content:
Adware Hidden in Android Apps Downloaded More Than 440 Million Times
Focusing on Endpoints: 5 Steps to Fight Cybercrime
Commercial Spyware Uses WhatsApp Flaw to Infect Phones
Digital Ad-Fraud Losses Decline
Exodus iOS Surveillance Software Masqueraded as Legit Apps

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Finds Thousands of iOS Apps Ignoring Security