Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Researchers Finds Thousands of iOS Apps Ignoring Security

A critical data encryption tool, included by default in iOS, is being turned off in more than two-thirds of popular apps.

When a computing platform has a security feature built in, why would a developer decide not to use it? A better question might be, why would more than 20,000 iOS apps be published without an Apple encryption feature that's turned on by default?

Those are among the questions researchers at Wandera sought to answer when they analyzed more than 30,000 commonly used iOS apps found in the App Store. They found that App Transport Security (ATS), a set of rules and app extensions Apple provides as part of the Swift development platform, is turned off and not used by a majority of the app developers they saw.

Michael Covington, vice president at Wandera, says researchers began looking for answers when they saw critical information being passed in the clear. The company has traditionally looked for any personally identifiable information (PII) going across the network without encryption, he says.

"Apple has this framework in place that essentially should be forcing developers to encrypt anything that they sent out on the network, let alone user names, passwords, and credit card numbers," he says. So when Wandera researchers saw information flowing without encryption, they asked, "How were these things making it through?" Covington says. "And that's what led us to ATS."

Covington says he believes many developers disable ATS because they feel it will impact app performance. Those concerns, he says, come from legacy servers and mobile devices that had very limited CPUs, but today's systems can easily handle "HTTPS everywhere." 

Other developers disable ATS because they depend on ad networks for revenue from free apps. Many of those ad networks, including those from Facebook, rely on unencrypted connections.

In early versions of ATS, developers could only control the service by turning it on or off. Since iOS 10, though, developers have had the ability to turn it on and off for specific functions within the app. Still, as Wandera researchers point out in their report on the issue, many developers have never changed their practices to use the more granular control available for ATS.

While the original research focused on consumer apps, Covington says he's concerned about enterprise apps developed by — or for — large corporations. "One of our customers in pharmaceuticals has about 500 mobile apps that they build and maintain annually," he explains. "Those are the apps that are either being outsourced to third-party developers or are being built in-house where security is not the primary focus."

And yet those apps carry very sensitive data on a regular basis.

Covington says he expects to see more examples of security events that take advantage of these unencrypted apps. Until Apple or customers force developers to enable encryption for sensitive data transmission in all of their apps, it seems VPNs may be the only way corporations and consumers can be sure their PII remains private.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tonada1962
100%
0%
tonada1962,
User Rank: Apprentice
6/9/2019 | 6:38:18 PM
How to Tell if No ATS
So how does a person determine if they have an app that does not use ATS?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...