Error in AFNetworking code allows you to intercept user HTTPS traffic
A critical vulnerability was found in one of the most popular frameworks for working with the network in iOS and OS X systems. AFNetworking , namely version 2.5.1, turned out to be under the gun at Minded Security specialists.
In the evaluateServerTrust method (AFSecurityPolicy.m file), the SSL certificate validation logic occurs.
By default, SSLPinningMode is set to AFSSLPinningModeNone, which completely disables certificate validation. This makes SSL MITM possible.
This framework is quite popular. It is used by applications such as Pinterest, Heroku, Citrix OpenVoice Audio Conferencing, Alibaba, and others.
')
After the publication of the details of the vulnerability, other applications from AppleStore were checked. The results are disappointing. 1500 applications were under control of the "leaky" version of AFNetworking.
Following this, a service was launched to check applications for vulnerabilities: searchlight.sourcedna.com/lookup
In version 2.5.2, the bug is partially closed, but the certificate validation bypass is still present due to the lack of verification of the host.
Related Links:
SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production!
1,500 iOS apps have HTTPS-crippling bug. Is it one of them on your device?
AFNetworking on Habré
In the evaluateServerTrust method (AFSecurityPolicy.m file), the SSL certificate validation logic occurs.
- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust forDomain:(NSString *)domain { NSMutableArray *policies = [NSMutableArray array]; if (self.validatesDomainName) { [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)]; } else { [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()]; } SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies); if (self.SSLPinningMode != AFSSLPinningModeNone && !AFServerTrustIsValid(serverTrust) && !self.allowInvalidCertificates) { return NO; } NSArray *serverCertificates = AFCertificateTrustChainForServerTrust(serverTrust); switch (self.SSLPinningMode) { case AFSSLPinningModeNone: return YES; By default, SSLPinningMode is set to AFSSLPinningModeNone, which completely disables certificate validation. This makes SSL MITM possible.
This framework is quite popular. It is used by applications such as Pinterest, Heroku, Citrix OpenVoice Audio Conferencing, Alibaba, and others.
')
After the publication of the details of the vulnerability, other applications from AppleStore were checked. The results are disappointing. 1500 applications were under control of the "leaky" version of AFNetworking.
Following this, a service was launched to check applications for vulnerabilities: searchlight.sourcedna.com/lookup
In version 2.5.2, the bug is partially closed, but the certificate validation bypass is still present due to the lack of verification of the host.
Related Links:
SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production!
1,500 iOS apps have HTTPS-crippling bug. Is it one of them on your device?
AFNetworking on Habré
Source: https://habr.com/ru/post/257163/
All Articles