A critical MiTM flaw in AFNetworking iOS, OS X framework was fixed

Pierluigi Paganini March 28, 2015

Security experts at Minded Security firm have recently discovered a flaw in the popular networking library for iOS and OS X AFNetworking.

The researchers Simone Bovi and Mauro Gentile at the security firm Minded Security discovered a flaw in the popular networking library for iOS and OS X AFNetworking. The researchers found the flaw while were conducting the analysis of a mobile application for one of their clients.were conducting the analysis of a mobile application for one of their clients.

The flaw appeared very serious, popular mobile applications like Pinterest, Vine, Herokuand Simple use the networking library for iOS and OS X exposing the users to man-in-the-middle (MiTM) attacks.

flaw  iOS and OS X AFNetworking 2

The development team behind the framework AFNetworking promptly pushed a fix for the security issue.

“It turned out that because of a logic flaw in the latest version of the library, SSL MiTM attacks are feasible in apps using AFNetworking 2.5.1. The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates.” Bovi explained in a blog post.

The experts estimated that the security issue could affect a very high number of mobile users.
The experts observed the problem even when the mobile application requests the AFNetworking library to apply checks for server validation in SSL certificates.
As consequence, a threat actor could intercept SSL traffic by using a proxy service such as the Burp Suite.

“After a few minutes, we figured out that there was a logical bug while evaluating trust for SSL certificates, whose consequence was to completely disable SSL certificate validation,” continues the post.

The researchers Bovi and Gentile have found the details of the flaw in a Github forum post in early February, in the post it is explained that AFNetworking framework could allow connection to https servers with invalid certificates.

The flaw seems to affect the version 2.5.1 of the library that was released in January 2015.

“I have verified that a malicious proxy server can sniff all the contents of HTTPS communication in this case,” reported the Github user duttski, who devepoed a temporary patch for the issue waiting for a final fix.

The creator of the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the Version 2.5.2 and fixed the issue by adding “test and implementation of strict default certificate validation”.

Pierluigi Paganini

(Security Affairs –  MITM,  AFNetworking)



you might also like

leave a comment