A few weeks after the developers of the AFNetworking library that’s popular among iOS and OS X app developers patched a serious bug in the library that enabled man-in-the-middle attacks, another, similar flaw has surfaced.
The new vulnerability is related to how the AFNetworking library handles domain name validation for certificates. As it turns out, the library has a flag set that disables domain validation by default, meaning that an attacker effectively could present any valid certificate to an app affected by the vulnerability, and the app would accept it. Researchers at SourceDNA said that the vulnerability is as serious as they come for a mobile app.
“This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet. Because the domain name wasn’t checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50,” the company said in a blog post.
The vulnerability popped up just a day after another serious flaw was disclosed and fixed in AFNetworking. The previous bug was similar in nature and related to the fact that the library would accept self-signed certificates. The newer flaw is in the same part of the code and could affect as many as 25,000 apps.
“We were surprised to see this bug in 2.5.2, and doubly so when we realized this issue had already been reported and fixed the day after the previous SSL flaw was fixed, but no one seemed to have noticed that it had been left out of the 2.5.2 release,” the SourceDNA post says.
SourceDNA was founded by cryptographer Nate Lawson, who has long experience finding serious cryptographic problems. The company recommends that developers of affected apps enable certificate pinning or key pinning, either of which would have protected against an attack on either of these bugs.
The latest AFNetworking vulnerability is fixed in version 2.5.3.