Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Researchers Finds Thousands of iOS Apps Ignoring Security

A critical data encryption tool, included by default in iOS, is being turned off in more than two-thirds of popular apps.

When a computing platform has a security feature built in, why would a developer decide not to use it? A better question might be, why would more than 20,000 iOS apps be published without an Apple encryption feature that's turned on by default?

Those are among the questions researchers at Wandera sought to answer when they analyzed more than 30,000 commonly used iOS apps found in the App Store. They found that App Transport Security (ATS), a set of rules and app extensions Apple provides as part of the Swift development platform, is turned off and not used by a majority of the app developers they saw.

Michael Covington, vice president at Wandera, says researchers began looking for answers when they saw critical information being passed in the clear. The company has traditionally looked for any personally identifiable information (PII) going across the network without encryption, he says.

"Apple has this framework in place that essentially should be forcing developers to encrypt anything that they sent out on the network, let alone user names, passwords, and credit card numbers," he says. So when Wandera researchers saw information flowing without encryption, they asked, "How were these things making it through?" Covington says. "And that's what led us to ATS."

Covington says he believes many developers disable ATS because they feel it will impact app performance. Those concerns, he says, come from legacy servers and mobile devices that had very limited CPUs, but today's systems can easily handle "HTTPS everywhere." 

Other developers disable ATS because they depend on ad networks for revenue from free apps. Many of those ad networks, including those from Facebook, rely on unencrypted connections.

In early versions of ATS, developers could only control the service by turning it on or off. Since iOS 10, though, developers have had the ability to turn it on and off for specific functions within the app. Still, as Wandera researchers point out in their report on the issue, many developers have never changed their practices to use the more granular control available for ATS.

While the original research focused on consumer apps, Covington says he's concerned about enterprise apps developed by — or for — large corporations. "One of our customers in pharmaceuticals has about 500 mobile apps that they build and maintain annually," he explains. "Those are the apps that are either being outsourced to third-party developers or are being built in-house where security is not the primary focus."

And yet those apps carry very sensitive data on a regular basis.

Covington says he expects to see more examples of security events that take advantage of these unencrypted apps. Until Apple or customers force developers to enable encryption for sensitive data transmission in all of their apps, it seems VPNs may be the only way corporations and consumers can be sure their PII remains private.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tonada1962
100%
0%
tonada1962,
User Rank: Apprentice
6/9/2019 | 6:38:18 PM
How to Tell if No ATS
So how does a person determine if they have an app that does not use ATS?
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3654
PUBLISHED: 2019-11-22
Authentication Bypass vulnerability in the Microsoft Windows client in McAfee Client Proxy (MCP) prior to 3.0.0 allows local user to bypass scanning of web traffic and gain access to blocked sites for a short period of time via generating an authorization key on the client which should only be gener...
CVE-2014-2214
PUBLISHED: 2019-11-22
Multiple cross-site scripting (XSS) vulnerabilities in POSH (aka Posh portal or Portaneo) 3.0 through 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) error parameter to /includes/plugins/mobile/scripts/login.php or (2) id parameter to portal/openrssarticle.php
CVE-2014-6310
PUBLISHED: 2019-11-22
Buffer overflow in CHICKEN 4.9.0 and 4.9.0.1 may allow remote attackers to execute arbitrary code via the 'select' function.
CVE-2014-6311
PUBLISHED: 2019-11-22
generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.
CVE-2019-16763
PUBLISHED: 2019-11-22
In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if ...