Security Flaw Affects 1500 iOS Apps While Apple's OS X 10.10.3 'Rootpipe' Fix Proves Incomplete [Updated]

MacRumors · Apr 21, 2015

Over the past few days a handful of reports have been accumulating in regards to two security flaws, one affecting roughly 1500 iOS apps and a second affecting OS X users despite Apple having tried to patch the vulnerability on OS X 10.10.3.

The first security flaw is making about 1500 iPhone and iPad apps vulnerable to hackers who could leverage the vulnerability to steal passwords, bank account information, and a handful of other sensitive information, according to Ars Technica. Discovered by security analytics firm SourceDNA last month, the "man-in-the-middle" attack was fixed in a 2.5.2 update to AFNetworking, the open-source code which housed the vulnerability.

Unfortunately, some developers have yet to update to the newest version of the code, leaving those 1500 apps open and vulnerable to the attack, which "can decrypt HTTPS-encrypted data" and essentially allows anyone generating a fake Wi-Fi hotspot access to a user's data on that same Wi-Fi connection. As a result, SourceDNA scanned and analyzed most apps on the App Store for the security flaw, and even created a search tool to discover if a particular app is under risk.

The day the flaw was announced & patched, a quick search in SourceDNA showed about 20,000 iOS apps (out of the 100k apps that use AFNetworking) both contained the AFNetworking library and were updated or released on the App Store after the flawed code was committed. Our system then scanned those apps with the differential signatures to see which ones actually had the vulnerable code.

The results? 55% had the older but safe 2.5.0 code, 40% were not using the portion of the library that provides the SSL API, and 5% or about 1,000 apps had the flaw. Are these apps important? We compared them against our rank data and found some big players: Yahoo!, Microsoft, Uber, Citrix, etc. It amazes us that an open-source library that introduced a security flaw for only 6 weeks exposed millions of users to attack.

Some of the known apps currently vulnerable to the man-in-the-middle attack includes Citrix OpenVoice Audio Conferencing [Direct Link], Alibaba's mobile app [Direct Link], and even Movies by Flixster with Rotten Tomatoes [Direct Link]. SourceDNA urges users to check their most used apps in its search tool for the security flaw, and promises to remove apps that have been fixed and add ones discovered to be vulnerable as time goes on.

The other flaw, called "Rootpipe", dates back to 2011 and has been known for some time. Apple intended to patch the Rootpipe vulnerability in OS X 10.10.3 earlier this month, although older versions of OS X were left vulnerable. But as reported by Forbes, former NSA agent Patrick Wardle has discovered the flaw to still be present on Macs running OS X 10.10.3, as well as older versions.

Apple put additional access controls to stop attacks, but Wardle's code was still able to connect to the vulnerable service and start overwriting files on his Mac. "I was tempted to walk into the Apple store this [afternoon] and try it on the display models - but I stuck to testing it on my personal laptop (fully updated/patched) as well as my OS X 10.10.3 [virtual machine]. Both worked like a charm," Wardle told FORBES over email. In a blog post, he'd said his exploit was "a novel, yet trivial way for any local user to re-abuse Rootpipe".

Discovered last October, the Rootpipe flaw essentially allows a hidden backdoor to be created on a particular system, opening up root access of a computer to a hacker after they obtain local privileges on the device. Physical access or previously granted remote access to the target machine is required in order for the vulnerability to be exploited.

Most recently, Apple faced the "FREAK" security flaw in its systems, making everything from an Apple TV to an iPod touch vulnerable to stolen sensitive information. The company issued a few security updates on all platforms in the weeks following the discovery of the security flaw, beefing up security and working to assuage public concerns. In regards to the man-in-the-middle iOS and re-emerging Rootpipe flaws, the company has yet to comment.

Update: Alamofire Software Foundation has posted a response to the controversy over the AFNetworking issue, refuting SourceDNA's claims about the number of apps affected by noting that even if an app used a vulnerable version of AFNetworking, it would not be susceptible to attack as long as communication is handled over HTTPS with SSL pinning.

If your app communicates over HTTPS and enables SSL pinning, it is not vulnerable to the reported MitM attacks

A significant proportion of apps using AFNetworking took the recommended step of enabling SSL certificate or public key pinning. Those applications are not vulnerable to the reported MitM attacks.

Alamofire's Mattt Thompson tells MacRumors that there is simply no way to tell whether or not an app is vulnerable without trying to to initiate a man-in-the-middle attack, which SourceDNA did not do. Regardless, all developers using AFNetworking in their apps should update to version 2.5.3 immediately.

Article Link: Security Flaw Affects 1500 iOS Apps While Apple's OS X 10.10.3 'Rootpipe' Fix Proves Incomplete [Updated]

ovrlrd · Apr 21, 2015

Pretty silly that Apple can't just bundle this detection into their App Store approvals process. They could also issue massive warnings to app makers and give a deadline to fix or their apps get removed.

teslo · Apr 21, 2015

'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?

3282869 · Apr 21, 2015

...the Rootpipe flaw essentially allows a hidden backdoor to be created on a particular system, opening up root access of a computer to a hacker after they obtain local privileges on the device. Physical access or previously granted remote access to the target machine is required in order for the vulnerability to be exploited.

Meaning they would need your system password along with physical access or previously granted remote access.

Would simply changing your system/root password remedy this or once they're in, "they're in"? Also, would app's such as "Little Snitch" detect remote access attempts and warn the user to Allow/Deny? Thanks!

b0nd18t · Apr 21, 2015

I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

tritonxl · Apr 21, 2015

b0nd18t said:
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

It's not the platform that is insecure here. It's a third party library that doesn't properly handle HTTPS in an OLDER version that has since been updated and patched. It's the developers of the app that are at fault here.

2457282 · Apr 21, 2015

My understanding (and that is far from clear) is that these are not easy hacks. It requires setting up websites or fake wifi hot spots and then require you to access them before the hacker could gain access. If I go to a starbucks and someone has created a fake Starbucks wifi and I join it, then maybe.

These are exposures to be sure, but ones that require me to fall into a trap. I try to be safe when surfing or when joining a hotspot. This should minimize my exposure. Plus, I dont have any of the apps mentioned that could put me at risk.

3282869 · Apr 21, 2015

b0nd18t said:
I guess these are some reasons iOS and OS X were the least secure platforms last year. Kinda sucks right?

This isn't simply specific to OS X and iOS platforms. As someone already stated, it's the developers use of outdated libraries. These are few and far between incidents that get attention for that very reason. Windows, Android, etc OS's are much more vulnerable by comparison. However, let's now make this another "War of the OS's" threads.

Oh, what source stated that OS X and iOS were the least secure platforms last year? I'm actually serious, that's disconcerting if true and backed.

chrfr · Apr 21, 2015

TravelingMac said:
Meaning they would need your system password along with physical access or previously granted remote access.

Would simply changing your system/root password remedy this or once they're in, "they're in"? Also, would app's such as "Little Snitch" detect remote access attempts and warn the user to Allow/Deny? Thanks!

You need to keep the local user out. If any local user has an account on the computer, they can get root, even without going into single user mode or any other sort of trick. If that user has SSH access, then the vulnerability remains. The scope of the vulnerability as it now exists in 10.10.3 is less clear, but in 10.9-10.10.2 it is trivial to have root access if a user has an account.

Nightarchaon · Apr 21, 2015

Think ill go back to using OSX on PowerPC

gpsouza · Apr 21, 2015

TravelingMac said:
This isn't simply specific to OS X and iOS platforms. As someone already stated, it's the developers use of outdated libraries. These are few and far between incidents that get attention for that very reason. Windows, Android, etc OS's are much more vulnerable by comparison. However, let's now make this another "War of the OS's" threads.

Oh, what source stated that OS X and iOS were the least secure platforms last year? I'm actually serious, that's disconcerting is true and backed.

Not op, but http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

The trick here is that they say "OS X", as it could be any of them! On the other hand, each Windows version is treated separately.

chrfr · Apr 21, 2015

gpsouza said:
Not op, but http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

The trick here is that they say "OS X", as it could be any of them! On the other hand, each Windows version is treated separately.

At the bottom of that link you see the aggregate counts for Windows. Most of the vulnerabilities listed are duplicated in each version of Windows so the total number is not the sum of each Windows version's vulnerabilities.

Sasparilla · Apr 21, 2015

chrfr said:
You need to keep the local user out. If any local user has an account on the computer, they can get root, even without going into single user mode or any other sort of trick. If that user has SSH access, then the vulnerability remains. The scope of the vulnerability as it now exists in 10.10.3 is less clear, but in 10.9-10.10.2 it is trivial to have root access if a user has an account.

Does anyone know how far back the root vulnerability goes? (i.e. 10.8 or 10.7 etc.) With Apple supposedly not fixing this in anything but 10.10 (still not fixed), it'd be good to know this.

chrfr · Apr 21, 2015

Sasparilla said:
Does anyone know how far back the root vulnerability goes? (i.e. 10.8 or 10.7 etc.) With Apple supposedly not fixing this in anything but 10.10, it'd be good to know this.

At least back to 10.7.

Crosscreek · Apr 21, 2015

I been running the AntiVirus Sentinel Pro app in OS X 10.10.3 and have had several MIM attacks blocked.

Raima · Apr 21, 2015

Thank you for bringing the rootpipe issue to the front page. More people need to be aware of it so Apple in their best interest will take action to patch it.

Keerock · Apr 21, 2015

Major risk!

0.107% of the apps are impacted. If you use 1.4 million as the total number of apps.

Am I underestimating the monumental risk here?

edit: not referring to rootpipe, that IS an issue.

D.T. · Apr 21, 2015

teslo said:
'generating a fake wifi hotspot'

i don't know much about this stuff, so does this mean you'd have to willfully join an unknown network because it seemed convenient, or it's a fake wifi network disguised as yours?

Yeah, they have to be on the same network and a network they can snoop.

The issue isn't someone can access your device through this flaw, that is still accomplished via the same attacks: fake networks, etc. The issue is _if_ you're on a network, where some can snoop the packets, there's a cryptography flaw that would allow them to decode it.

Hacker sets up fake network
You join
Hacker monitors network traffic
You login to Amazon
Hacker decodes your login data (due to AFN flaw) and now has your auth creds

Normally, even a fake network wouldn't automatically mean you're going to get hacked if the communication is happening across a cryptographically secure connection.

Heck, I use(d) AFNetworking, it's terrific for backend communication.

Four oF NINE · Apr 21, 2015

Just exactly how big of an issue is this really? Should I delete "Movies" by Flixter from devices, for instance?

ArtOfWarfare · Apr 21, 2015

ovrlrd said:
Pretty silly that Apple can't just bundle this detection into their App Store approvals process. They could also issue massive warnings to app makers and give a deadline to fix or their apps get removed.

If Apple stopped giving developers crap for built in libraries, people would stop using third party libraries like AFNetworking. Then none of this would be an issue.

I've stopped developing native apps, period, because none of the companies creating OSs, not Apple, not Google, not Microsoft, give their developers good libraries to work with.

I stick with Python, Unity, and Meteor for all my different projects, because they're all cross platform, and they each have a better set of batteries included than anything native.

2010mini · Apr 21, 2015

Cuban Missles said:
My understanding (and that is far from clear) is that these are not easy hacks. It requires setting up websites or fake wifi hot spots and then require you to access them before the hacker could gain access. If I go to a starbucks and someone has created a fake Starbucks wifi and I join it, then maybe.

These are exposures to be sure, but ones that require me to fall into a trap. I try to be safe when surfing or when joining a hotspot. This should minimize my exposure. Plus, I dont have any of the apps mentioned that could put me at risk.

Yes but the thing is with iOS devices, we don't have access to control all the wifi networks. Only when you are connected can you delete it. If you joined Starbucks last week at one location. And someone created a fake Wifi and named it Starbucks somewhere else..... Once your phone is in range it will join it. Even if you are not using your device.

That is not good. Apple needs to give us access to view and delete all the networks we connect to.

Westside guy · Apr 21, 2015

Rootpipe is a local escalation of privileges exploit. If you have "guest user" disabled, and you're the only one with login credentials on your Mac, you're okay.

The bad news is - the guest user account login is enabled by default.

TURN IT OFF.

3282869 · Apr 21, 2015

Crosscreek said:
I been running the AntiVirus Sentinel Pro app in OS X 10.10.3 and have had several MIM attacks blocked.

Ugh. I've been using OS X for over a decade, the day any AntiVirus software is needed (i.e. a must), I'll die a little inside.

Slightly OT: My friends and I joke about who has time to create viruses/worms/etc. They aren't getting paid to spend hours a day for weeks, sometimes longer, to create a virus that normally holds little financial access/gain. One NYE, I was in SLC skiing with friends (and friends of friends) from SF and London, one of them worked in marketing for McAfee or such. Talking about viruses, we joked about who makes them and kidded it was the AntiVirus companies in order to create a market for their product. The guy from McAfee looked away and sipped his beer in a not so subtle way of suggesting truth, although I'm sure he was kidding... right?

usarioclave · Apr 21, 2015

The SSL one isn't as big of a deal as they make it out to be, in that you need to be in a privileged network position to exploit it. That's not to say that doesn't happen, but it's far from a "the world is falling" problem.

And there are problems with strict validation anyway, which is why you may not want to use it (see the wink hub problem). I can tell you that there are devices out there that are built with certs that you can't get anymore, which means those devices will become bricks someday.

Compile 'em all · Apr 21, 2015

Cuban Missles said:
My understanding (and that is far from clear) is that these are not easy hacks. It requires setting up websites or fake wifi hot spots and then require you to access them before the hacker could gain access. If I go to a starbucks and someone has created a fake Starbucks wifi and I join it, then maybe.

These are exposures to be sure, but ones that require me to fall into a trap. I try to be safe when surfing or when joining a hotspot. This should minimize my exposure. Plus, I dont have any of the apps mentioned that could put me at risk.

All of these hacks are actually easy. Setting up a hotspot is pretty damn easy, you can even do that with your Mac. The average computer user, especially a Mac user, doesn't care about security and "traps". If you will find a WiFi, I guarantee you 99.9% of people encountering it will connect to it.

Apple seems to have stepped up their game after Snowden revelations, but their security team (judging by their inability to correctly patch security holes) speaks volumes about their competency.

Dear Apple, like you are so keen on hiring fashion designers and sending 10k watches to celebrities, may be you can acquire a couple of security firms and start hiring some hackers.

Security Flaw Affects 1500 iOS Apps While Apple's OS X 10.10.3 'Rootpipe' Fix Proves Incomplete [Updated]

macrumors bot

macrumors 65816

macrumors 6502a

macrumors member

macrumors 6502

macrumors newbie

Suspended

macrumors member

macrumors G5

macrumors 65816

macrumors 6502

macrumors G5

macrumors 68000

macrumors G5

macrumors 68030

macrumors 6502

macrumors regular

macrumors G4

macrumors 68000

macrumors G3

macrumors 601

macrumors 603

macrumors member

macrumors 65816

macrumors 601

Our Staff