A score of popular apps from Apple Store with at least 18 million downloads were included in a security report due to vulnerabilities against data interception. Sudo Security Group found out that these iOS apps are using their back-end services to implement encryptions. This process is thought to be dangerous because a third-party with proper knowledge can easily extract and intercept the incoming or outgoing data.

In technical perspective, these iOS apps can be tricked through a proxy with a fake certificate. Most of the apps are using Transport Layer Security which offers a chance for data un-encryption. Not only are the users' credentials being compromised, but so are their billing details, location and virtual addresses.

The iOS apps in scrutiny are using App Transport Security or ATS which was introduced way back in iOS 9, Sudo's Will Strafach reported. ATS forces an app to connect through HTTPS connections where "S" stands for secured data encryption. Otherwise plain HTTP is the traditional low-encrypted data handler.

To make matters worse, Sudo Security said that the iOS apps deemed vulnerable are ranging from simple add-ons to social media apps to data-sensitive banking apps like FirstBank PR. The report also stated that there is a total of 76 apps assessed. They sub-categorized these iOS apps into three classifications depending on the level of vulnerability, MacRumors said.

Of the total number, 33 were classified as low risk because they only store partially sensitive data like emails and physical address. 24 others were placed under medium risk class while the remaining 19 were deemed high risk. High risk apps are those that contain very sensitive data like financial and banking records.

Meanwhile, there is a debate over the Sudo Security report because they publicized only the low risk iOS apps and some of those from medium risk. Apple Store users are still in the dark since Sudo chose not to divulge the names of high risk apps.

© Copyright 2024 Mobile & Apps, All rights reserved. Do not reproduce without permission.