A new report from mobile security company Sudo Security Group reveals 76 iOS apps show vulnerabilities which could allow hackers to intercept sensitive financial or health data sent over Wi-Fi.
We’re talking about popular apps for free video calling, getting cash rewards and doing mobile banking, plus five apps that are focused solely on the popular social network Snapchat!
Read more: Report: 1 million Google accounts hacked by new malware
Man-in-the-middle attack vulnerabilities
Will Strafach of Sudo Security Group writes in his latest blog that he discovered dozens of apps that can be hit by so-called ‘man-in-the-middle’ data interception attacks.
Such attacks would allow hackers to decrypt data sent wirelessly because of a glitch in the code when the app developers created these apps.
The good news here is that 33 of the compromised iOS apps that Strafach discovered only had a low risk vulnerability.
For these apps (listed below), there’s a danger that hackers could potentially intercept your mobile device’s analytics data, e-mail address or login credentials, according to Sudo Security Group.
- ooVoo — Free Video Call, Text and Voice: Username and Password are vulnerable to interception. This was also documented in 2013 by Nick Arnott.
- VivaVideo — Free Video Editor & Photo Movie Maker: OS Version, Device Model, and Search Queries are vulnerable to interception.
- Snap Upload for Snapchat — Send Photos & Videos: Snapchat Username and Password are sent to “sc.apparser.com” and are vulnerable to interception. We have noted similar behavior in March 2016 within iOS apps which contain the same functionality.
- Uconnect Access: Username, Pandora Username/Password (during initial setup), and Slacker Radio Username/Password (during initial setup) are vulnerable to interception. The Login API is confirmed to properly validate certificates, so it is unlikely that an attacker could utilize this vulnerability to cause any problems for your vehicle.
- Volify — Free Online Music Streamer & MP3 Player: OS Version, Device Model, Cellular Network Name, and Battery Information are vulnerable to interception.
- Uploader Free for Snapchat — Quick Upload Snap from Camera Roll: This contains most of the same code as the above “Snap Upload for Snapchat — Send Photos & Videos” application albeit with a slightly different user interface. The same data is vulnerable to interception.
- Epic! — Unlimited Books for Kids: Encryption keys are vulnerable to interception. There is likely to be no adverse effects for the end user arising from interception, as the keys are highly likely to be DRM related.
- Mico — Chat, Meet New People: E-Mail Address and OS version are vulnerable to interception.
- Safe Up for Snapchat — Quick Upload photos and videos from your camera roll: Snapchat Username and Password are sent to “api.uapptrack.com” and are vulnerable to interception.
- Tencent Cloud: Analytics information (obfuscated) is vulnerable to interception.
- Uploader for Snapchat — Quick Upload Pics & Videos to Snapchat: This contains most of the same code as the above “Snap Upload for Snapchat — Send Photos & Videos” application albeit with a slightly different user interface. The same data is vulnerable to interception.
- Huawei HiLink (Mobile WiFi): OS Version and Device Model are vulnerable to interception.
- VICE News: OS Version, Device Model, and First-Party API Calls are vulnerable to interception.
- Trading 212 Forex & Stocks: Username is vulnerable to interception. The Login API is confirmed to properly validate certificates, so password is not vulnerable to interception.
- 途牛旅游-订机票酒店ç«è½¦ç¥¨æ±½è½¦ç¥¨ç‰¹ä»·æ—…è¡Œ: OS Version, Device Model, Wi-Fi Network Name, and Wi-Fi Network BSSID are vulnerable to interception.
- CashApp — Cash Rewards App: OS Version and Cellular Network Name are vulnerable to interception.
- [Clone of legitimate service] (Removed from App Store as of 7 Feb 2017): OS Version, Device Model, Mobile Network Code, and Mobile Country Code are vulnerable to interception. (Update: This application was misusing the trademark of a legitimate service of which it has no relation to — The name has been removed to avoid confusion).
- 1000 Friends for Snapchat — Get More Friends & Followers for Snapchat: This contains most of the same code as the above “Safe Up for Snapchat — Quick Upload photos and videos from your camera roll” application albeit with a slightly different user interface. The same data is vulnerable to interception.
- YeeCall Messenger-Free Video Call&Conference Call: E-Mail Address and Phone Number are vulnerable to interception.
- InstaRepost — Repost Videos & Photos for Instagram Free Whiz App: Analytics information (obfuscated) is vulnerable to interception.
- Loops Live: Mobile Network Code and Mobile Country Code are vulnerable to interception.
- Privat24: OS Version and Device Model are vulnerable to interception. The Login API is confirmed to properly validate certificates, so password is not vulnerable to interception.
- Private Browser — Anonymous VPN Proxy Browser: Facebook Analytics Data and First-Party API Calls are vulnerable to interception. The payloads of API calls appear to be obfuscated, it is possible that further data can be found here.
- Cheetah Browser: OS Version, Device Model, GPS Location, and Autocomplete keystrokes (Google + Baidu) are vulnerable to interception.
- AMAN BANK: Generic API calls (Such as ATM Locator) are vulnerable to interception. No “Login” functionality could be located within this application, therefore ability to intercept login credentials remains unclear.
- FirstBank PR Mobile Banking: App version check API call is vulnerable to interception. The Login API is confirmed to properly validate certificates, so password is not vulnerable to interception.
- vpn free — OvpnSpider for vpngate: VPN Server List and VPN Server Information is vulnerable to interception and manipulation.
- Gift Saga — Free Gift Card & Cash Rewards: OS Version, Device Model, Mobile Network Code, and Mobile Country Code are vulnerable to interception.
- Vpn One Click Professional: VPN Server List, VPN Server Information, and direct “Mobileconfig” download links are vulnerable to interception and manipulation.
- Music tube — free imusic playlists from Youtube: Video List and Search Queries are vulnerable to interception.
- AutoLotto: Powerball, MegaMillions Lottery Tickets: API calls (such as retrieval of drawing dates/times) are vulnerable to interception.
- Foscam IP Camera Viewer by OWLR for Foscam IP Cams: API calls are vulnerable to interception.
- Code Scanner by ScanLife: QR and Barcode Reader: OS Version, Device Model, Mobile Network Code, Mobile Country Code, and Beacon List are vulnerable to interception.
There’s a bigger problem here
The bigger problem here involves the remaining iOS apps not included on this list.
Twenty-four of those apps have a medium vulnerability risk, indicating a ‘confirmed ability’ for hackers to get your login credentials ‘and/or session authentication tokens for logged in users.’
Nineteen other apps not listed here are deemed a high vulnerability risk, which means hackers have ‘confirmed ability’ to intercept medical and financial info at will if they wish.
Strafach did not disclose the names of these medium and high vulnerability apps because of obvious security concerns.
His group is now getting in touch with the medical providers, banks and others who are on this secret list so they can close the holes in their app code.
What can you do about this problem?
Apple wants developers to use its App Transport Security (ATS) protocol to fix this problem, though Wired notes that doing that alone won’t clear up the inherent certificate verification issues.
Meanwhile, we’ve all heard the advice about not doing any sensitive medical or financial transactions on your phone when you’re on public Wi-Fi. Strafach says that if you have to check your bank account when you’re out and about, you should be sure to turn Wi-Fi off and use a cellular network.
While it is possible for hackers to breach a cell network, it’s much less likely that they’ll do so.
Here are some additional ways you can stay safe:
Keep your operating system updated
Always make sure you install the latest software updates from your operating system. These often include security and protection updates to help protect your device.
Don’t mess with your OS
Resist the temptation to fool around with your operating system. People sometimes mess around with their OS in trying to download apps that aren’t sanctioned. Don’t do it!
Don’t click on strange texts
Android users got a real scare last year when a report emerged that they could be hacked by text message.
Cast a critical eye on text messages from your bank
Maybe you’ve signed up for texts from your bank. But then a text comes through you weren’t expecting with a link for you to click to update your info. What do you do?
While it may be legit, your best bet is to play it safe. Get off your phone, get onto a secure network (preferably from a computer with good anti-virus software on it) and log into your bank’s official website. If the text from your bank was a legit one, you should see the same request for your info at the bank’s official website. Then you can give them whatever info they’re asking for.
Only trust downloads directly from financial websites
When it comes to downloading mobile banking apps, be sure you only install your bank, credit union or brokerage firm’s official apps that you find at their websites.
Check your statements diligently
Go through your bank statement line-by-line on a daily basis. Report any suspicious charges immediately.
Have a different password for each financial site
You’re going to need a unique password for each financial account you have: Bank, credit union, brokerage account, etc. That way if one is compromised, the crooks won’t have automatic access to every financial account in your life. Here are seven ways to create safer passwords for all your accounts.
Read more: Get a free iPhone 7 with Verizon’s new unlimited plan
Security warning: Mobile banking hack
Source: Security warning: Mobile banking hack by Clark on Rumble