A critical MiTM flaw in AFNetworking iOS, OS X framework was fixed

Security experts at Minded Security firm have recently discovered a flaw in the popular networking library for iOS and OS X AFNetworking.

The researchers Simone Bovi and Mauro Gentile at the security firm Minded Security discovered a flaw in the popular networking library for iOS and OS X AFNetworking. The researchers found the flaw while were conducting the analysis of a mobile application for one of their clients.were conducting the analysis of a mobile application for one of their clients.

The flaw appeared very serious, popular mobile applications like Pinterest, Vine, Heroku , and Simple use the networking library for iOS and OS X exposing the users to man-in-the-middle (MiTM) attacks.

The development team behind the framework AFNetworking promptly pushed a fix for the security issue.

“It turned out that because of a logic flaw in the latest version of the library, SSL MiTM attacks are feasible in apps using AFNetworking 2.5.1. The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates.” Bovi explained in a blog post.

The experts estimated that the security issue could affect a very high number of mobile users.

The experts observed the problem even when the mobile application requests the AFNetworking library to apply checks for server validation in SSL certificates.

As consequence, a threat actor could intercept SSL traffic by using a proxy service such as the Burp Suite.

“After a few minutes, we figured out that there was a logical bug while evaluating trust for SSL certificates, whose consequence was to completely disable SSL certificate validation,” continues the post.

The researchers Bovi and Gentile have found the details of the flaw in a Github forum post in early February, in the post it is explained that AFNetworking framework could allow connection to https servers with invalid certificates.

The flaw seems to affect the version 2.5.1 of the library that was released in January 2015.

“I have verified that a malicious proxy server can sniff all the contents of HTTPS communication in this case,” reported the Github user duttski, who devepoed a temporary patch for the issue waiting for a final fix.

The creator of the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the libraryMattt Thompson, who currently maintains AFNetworking, promptly released the Version 2.5.2 and fixed the issue by adding “test and implementation of strict default certificate validation”.

Pierluigi Paganini

(Security Affairs – MITM, AFNetworking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.