Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Researchers Finds Thousands of iOS Apps Ignoring Security

A critical data encryption tool, included by default in iOS, is being turned off in more than two-thirds of popular apps.

When a computing platform has a security feature built in, why would a developer decide not to use it? A better question might be, why would more than 20,000 iOS apps be published without an Apple encryption feature that's turned on by default?

Those are among the questions researchers at Wandera sought to answer when they analyzed more than 30,000 commonly used iOS apps found in the App Store. They found that App Transport Security (ATS), a set of rules and app extensions Apple provides as part of the Swift development platform, is turned off and not used by a majority of the app developers they saw.

Michael Covington, vice president at Wandera, says researchers began looking for answers when they saw critical information being passed in the clear. The company has traditionally looked for any personally identifiable information (PII) going across the network without encryption, he says.

"Apple has this framework in place that essentially should be forcing developers to encrypt anything that they sent out on the network, let alone user names, passwords, and credit card numbers," he says. So when Wandera researchers saw information flowing without encryption, they asked, "How were these things making it through?" Covington says. "And that's what led us to ATS."

Covington says he believes many developers disable ATS because they feel it will impact app performance. Those concerns, he says, come from legacy servers and mobile devices that had very limited CPUs, but today's systems can easily handle "HTTPS everywhere." 

Other developers disable ATS because they depend on ad networks for revenue from free apps. Many of those ad networks, including those from Facebook, rely on unencrypted connections.

In early versions of ATS, developers could only control the service by turning it on or off. Since iOS 10, though, developers have had the ability to turn it on and off for specific functions within the app. Still, as Wandera researchers point out in their report on the issue, many developers have never changed their practices to use the more granular control available for ATS.

While the original research focused on consumer apps, Covington says he's concerned about enterprise apps developed by — or for — large corporations. "One of our customers in pharmaceuticals has about 500 mobile apps that they build and maintain annually," he explains. "Those are the apps that are either being outsourced to third-party developers or are being built in-house where security is not the primary focus."

And yet those apps carry very sensitive data on a regular basis.

Covington says he expects to see more examples of security events that take advantage of these unencrypted apps. Until Apple or customers force developers to enable encryption for sensitive data transmission in all of their apps, it seems VPNs may be the only way corporations and consumers can be sure their PII remains private.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
tonada1962
100%
0%
tonada1962,
User Rank: Apprentice
6/9/2019 | 6:38:18 PM
How to Tell if No ATS
So how does a person determine if they have an app that does not use ATS?
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7989
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userUsername XSS.
CVE-2020-7990
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userName XSS.
CVE-2020-7991
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
CVE-2020-7984
PUBLISHED: 2020-01-26
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/a...
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...