Slashdot Mirror

← Back to Stories (view on slashdot.org)

Networking Library Bug Breaks HTTPS In ~1,500 iOS Apps

Posted by Soulskill on from the snake-in-the-walled-garden dept.

mrflash818 writes: A new report from analytics service SourceDNA found that roughly 1,500 iOS apps (with about 2 million total installs) contain a vulnerability that cripples HTTPS and makes man-in-the-middle attacks against those apps easy to pull off. "The weakness is the result of a bug in an older version of the AFNetworking, an open-source code library that allows developers to drop networking capabilities into their apps. Although AFNetworking maintainers fixed the flaw three weeks ago with the release of version 2.5.2, at least 1,500 iOS apps remain vulnerable because they still use version 2.5.1. That version became available in January and introduced the HTTPS-crippling flaw."

73 comments

  1. Poor Design... by Etherwalk · · Score: 0

    The fact that a library cannot be updated simultaneously with a security patch in all apps in the app store with a change that does not change API or in-app behavior is kind of absurd.

    Disclaimer: I am guessing this is the case, or else why would 1500 apps still be vulnerable?

    1. Re:Poor Design... by Anonymous Coward · · Score: 0

      It isn't a bug in a library that ships with iOS. It's a bug in a 3rd party library (AFNetworking).

    2. Re:Poor Design... by sg_oneill · · Score: 2

      Non system libraries are statically linked .a files in IOS. Apple insists on this, although I'm not entirely sure why. I guess its to avoid DLL hell.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    3. Re:Poor Design... by Etherwalk · · Score: 0

      Non system libraries are statically linked .a files in IOS. Apple insists on this, although I'm not entirely sure why. I guess its to avoid DLL hell.

      It saves them money; they don't have to spend the time developing a robust system for DLL registration, signing, updating, etc...

      But it is still a really bad engineering decision, because it means what could have been patched once has to push security updates in *fifteen hundred statically linked applications*. It's their marketplace and their walled garden; they should be subsidizing the expenses which make it more secure for everybody and reduce total developer time for publishers. Push the update to developers a little in advance in case it breaks an app, then auto-push the update either to everyone or with a held-back copy for any apps that specifically flag no-security-update.

      It's not rocket science, it's just good engineering.

    4. Re:Poor Design... by Anonymous Coward · · Score: 1

      Alternatively, it's a security decision, because they don't want one 3rd party to be able to inject code into another 3rd party application except under very controlled circumstances (which would be why iOS 8 supports dynamic libraries, but heavily restricts exactly the circumstances in which one can be used).

      Or... It could be a performance issue. Not doing a bunch of dynamic linking at application launch time would get applications launching much faster on resource constrained devices.

      Or ...

      That is, don't be so dumb as to assume that just because it's Apple, it can't possibly have been an engineer making a technical decission.

    5. Re:Poor Design... by tlhIngan · · Score: 5, Insightful

      Non system libraries are statically linked .a files in IOS. Apple insists on this, although I'm not entirely sure why. I guess its to avoid DLL hell.

      Well, to properly do this, requires a way to manage libraries separately from apps. And that rapidly becomes a usability nightmare, as well as, ironically, a security nightmare.

      What happens when an update comes out? Do you keep both versions? What happens if an app is incompatible with the new version? What if the old version is insecure, and the new version incompatible? Do you go for insecure-but-working, or broken-but-secure? What if the developer isn't around anymore to fix it?

      Then there's security - if you come up with a way to do this, how do you isolate the data from one another? How do you keep the library (which has access to everyone's data) from accessing and passing around the information? Perhaps a malicious update goes and accesses everyone's information then dumps it to another app for uploading?

      Effectively, the only way is to statically link the library into each app - this way each app contains a library that works and is tested. But it also means developers are responsible for maintaining their apps.

    6. Re:Poor Design... by kthreadd · · Score: 1

      Non system libraries are statically linked .a files in IOS. Apple insists on this, although I'm not entirely sure why. I guess its to avoid DLL hell.

      Managing shared libraries across applications works fine in a GNU distribution where the distribution takes responsibility for all applications. With Apple's approach there's no good way to manage this, different applications might use their own specialized version of the library. At most you might have an opt-in system where developers can register the libraries they are using and the version they require, and have the system download and manage them for them.

    7. Re:Poor Design... by Dutch+Gun · · Score: 5, Insightful

      Before you lambast Apple for poor engineering decisions, think carefully about the ramifications of using shared third-party libraries. DLLs have their own problems - hence the well known term "DLL Hell".

      Does Apple have to sign and push the 3rd party shared library itself? That would be the only safe solution I can think of, because otherwise you're giving apps the ability to modify each others' code, which is clearly a recipe for potential abuse. Apple can't realistically take the responsibility for monitoring, compiling, and pushing updates for third-party libraries, which would be nearly impossible to do in practice. Alternatively, there's no way Apple could allow the apps themselves to update the shared libraries, because then a single app could break or even hack thousands of other apps with a bad update. Delegating that authority to a third-party (like the library developer) is equally problematic, because there's no way for them to properly test any changes before pushing them, and the potential for abuse still exists.

      DLLs make a lot of sense for shared systems libraries, but as far as third-party libraries, they'd be a practical nightmare.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    8. Re:Poor Design... by _merlin · · Score: 1

      This is where the world is going with per-application library installations on Windows, things like Docker on Linux and application bundles containing libraries/frameworks on OSX. It guarantees that you don't get unexpected application breakage on a library update, but in means a library update requires work for every application using it.

    9. Re:Poor Design... by Guy+Harris · · Score: 2

      Non system libraries are statically linked .a files in IOS. Apple insists on this, although I'm not entirely sure why. I guess its to avoid DLL hell.

      I suppose they could support providing dynamically-linked libraries as part of an app bundle. However, it's not clear why that would be any better than statically linking the library, as Apple probably wouldn't allow those dynamically-linked libraries to be shared between applications (apps being sandboxed, they couldn't pull in a .dylib from another app bundle) and wouldn't allow them to be updated separately from the app bundle. The only advantages it might provide would be code sharing between executable images in the same app bundle and convenience of building app bundles if the libraries are provided as .dylibs.

      Neither OS X nor iOS are really set up to manage shared libraries/frameworks as installable objects separate from applications that use them. Perhaps they should be set up to do so, but that might need to be done carefully to avoid, well, DLL hell.

    10. Re:Poor Design... by Anonymous Coward · · Score: 0

      Alternatively, it's a security decision

      That has now been proved was a bad decision.

      That is, don't be so dumb as to assume that just because it's Apple, it can't possibly have been an engineer making a technical decission.

      No-one is claiming that. What people are saying is that the decision was bad. The accusation isn't that Apple doesn't engineer stuff, the accusation is that it is badly engineered.

    11. Re:Poor Design... by Anonymous Coward · · Score: 0

      Managing shared libraries across applications works fine in a GNU distribution where the distribution takes responsibility for all applications.

      Apple has decided to assume control of the distribution chain making it their responsibility. That they don't take it is another problem.

    12. Re:Poor Design... by kthreadd · · Score: 1

      OS X actually has perfectly fine support for shared libraries. They are supposed to be installed under /Library/Frameworks, and there are some applications that do that. There's no reason why they couldn't do that on iOS as well, just let developers share frameworks on the App Store and build a mechanism into the App Store where an app can require other apps or frameworks.

    13. Re:Poor Design... by Guy+Harris · · Score: 1

      OS X actually has perfectly fine support for shared libraries. They are supposed to be installed under /Library/Frameworks,

      ...and OS X keeps track of which installed applications use them, and either prevent uninstallation of shared libraries/frameworks that are used by installed applications or at least warn about it?

      No, it doesn't - it doesn't even have an official uninstaller (although the ambitious can whip up a script to do that, such as the Wireshark uninstaller script I have; not sophisticated, though, as it doesn't dump the file list from the package manifest to figure out what stuff needs to be removed, it just has that knowledge wired into it).

      And it definitely does not have a way to tie installable application A to installable shared library/framework X, so that installing A automatically installs X if A and X are separate packages from separate vendors.

      That is the sort of "[management of] shared libraries/frameworks as installable objects separate from applications that use them" to which I was referring.

      And, yes, that does sound a bit like the packaging management systems on some Linux distributions. From my limited experience with various Linux VMs on my Mac, they seems to work OK, but I don't have enough experience with them to say that there aren't problematic failure modes.

      At least OS X frameworks have some support for versioning, so that if application A tested with version n of X and set up to require version n and application B is tested with version m of X and set up to require version m, they could be installed "side-by-side".

      There's no reason why they couldn't do that on iOS as well, just let developers share frameworks on the App Store and build a mechanism into the App Store where an app can require other apps or frameworks.

      And set up a framework (no pun intended) so that they can do the same sort of vetting of frameworks that they do on applications. Yes, that would be a Good Thing, but I'm not about to assume, without further information, that it's not that hard.

    14. Re:Poor Design... by Etherwalk · · Score: 0

      Non system libraries are statically linked .a files in IOS. Apple insists on this, although I'm not entirely sure why. I guess its to avoid DLL hell.

      Well, to properly do this, requires a way to manage libraries separately from apps. And that rapidly becomes a usability nightmare, as well as, ironically, a security nightmare.

      What happens when an update comes out? Do you keep both versions? What happens if an app is incompatible with the new version? What if the old version is insecure, and the new version incompatible? Do you go for insecure-but-working, or broken-but-secure? What if the developer isn't around anymore to fix it?

      Then there's security - if you come up with a way to do this, how do you isolate the data from one another? How do you keep the library (which has access to everyone's data) from accessing and passing around the information? Perhaps a malicious update goes and accesses everyone's information then dumps it to another app for uploading?

      Effectively, the only way is to statically link the library into each app - this way each app contains a library that works and is tested. But it also means developers are responsible for maintaining their apps.

      All great questions, but static linking isn't an answer, it's giving up on having an answer.

    15. Re:Poor Design... by Rosyna · · Score: 2

      The fact that a library cannot be updated simultaneously with a security patch in all apps in the app store with a change that does not change API or in-app behavior is kind of absurd.

      Disclaimer: I am guessing this is the case, or else why would 1500 apps still be vulnerable?

      Maybe because it's not a library or a framework? AFNetworking is a set of classes/source code that you add to your project. It is not meant to be used as a separate library.

      And yes, bug fixes always change behaviour

    16. Re:Poor Design... by AchilleTalon · · Score: 1

      What if the developer isn't around anymore to fix it?

      It means you have picked the wrong library since there isn't enough interest in it to sustain it. You should then drop it for a replacement or write your own code. I know, there is plenty of examples of good libraries that are not well funded, so they went unsecure since developers cannot dedicate time to maintain them properly, one recent example comes to mind: OpenSSL and Heartbleed bug. On one side you have all these companies buying expensive Linux distros from respectable vendors with the guarantee if something goes wrong the vendor will fix it and on the other side, the vendor pocket the money and doesn't fund the developers that make him existing in first place or at least the most critical libraries that justify the companies to buy Linux instead of getting it for free and funding directly the projects they believe they critically depend on.

      --
      Achille Talon
      Hop!
    17. Re:Poor Design... by Rosyna · · Score: 2

      Non system libraries are statically linked .a files in IOS. Apple insists on this, although I'm not entirely sure why. I guess its to avoid DLL hell.

      It saves them money; they don't have to spend the time developing a robust system for DLL registration, signing, updating, etc...

      But it is still a really bad engineering decision, because it means what could have been patched once has to push security updates in *fifteen hundred statically linked applications*. It's their marketplace and their walled garden; they should be subsidizing the expenses which make it more secure for everybody and reduce total developer time for publishers. Push the update to developers a little in advance in case it breaks an app, then auto-push the update either to everyone or with a held-back copy for any apps that specifically flag no-security-update.

      It's not rocket science, it's just good engineering.

      So what are you suggesting? That every single library every single third party app uses all be installed into one location? And that every single application submitted to the app store break out their libraries separately?

      iOS apps are meant to be completely contained within a single bundle.

      (and yes, iOS supports dynamically linked libraries, of course it does)

    18. Re:Poor Design... by Gr8Apes · · Score: 2, Insightful

      Alternatively, it's a security decision

      That has now been proved was a bad decision.

      Absolutely false - it has proven that 1500 apps made a poor 3rd party library decision.

      No-one is claiming that. What people are saying is that the decision was bad. The accusation isn't that Apple doesn't engineer stuff, the accusation is that it is badly engineered.

      Or, it could be that some people were lazy and decided to use a crappy library? If you choose to use security by obscurity library 'x', is it Apple's fault when that security hole is discovered in your App? What Apple should do is remove all ~1500 apps from the App Store as being "unsuitable" for sale. They've done it with others for far less serious issues.

      --
      The cesspool just got a check and balance.
    19. Re:Poor Design... by Lumpy · · Score: 5, Insightful

      It's not apple's fault, it's 1500 bad developers that did not instantly compile with the updated library and submit for update to the store.

      100% of the blame sits at the feet of the developers of those apps.

      --
      Do not look at laser with remaining good eye.
    20. Re:Poor Design... by arglebargle_xiv · · Score: 1

      Before you lambast Apple for poor engineering decisions, think carefully about the ramifications of using shared third-party libraries. DLLs have their own problems - hence the well known term "DLL Hell".

      Uh, yeah, that was an issue for Windows 3.1 more than twenty years ago. There have been a few advances in dealing with this since then. Using Windows 3.1 engineering issues as an excuse for current bad engineering issues doesn't really cut it.

    21. Re:Poor Design... by jeremyp · · Score: 2

      It's done the way it is because the alternative is unmanageable.

      Apple would have to introduce a way for app developers to add external dependencies to their executables and for those external dependencies to be downloaded, if necessary, along with the app. This is obviously all possible as the Linux and BSD package management systems demonstrate but it would mean Apple would have to maintain an enormous repository of external libraries and the app developers would have to regression test their apps against every single version of the library just in case downloading a new version breaks their app.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    22. Re:Poor Design... by Anonymous Coward · · Score: 0

      Just going to point out something you just said. Linux and BSD do it. So Apple can't why?

    23. Re:Poor Design... by DarkOx · · Score: 2

      if by advances you mean 10+ gigabyte WINSxS directories that make the OS suck balls to run visualize / backup unless you have an expensive block level de-dupe system on SAN than yes there have been advances.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    24. Re:Poor Design... by DarkOx · · Score: 1

      The sensible way would be to do what every Linux distro has been doing for 20 years now. The "APP" includes a manifest of its dependencies. When you install it from the App store (remember Apple does not make side loads easy, unless you are developer in which case you can solve deps issue by having the required packages available) it simply goes an fetches the required libraries at the same time if you don't already have them.

      This is a solved problem!

      Taking in one tiny step further IOS just needs to scan through all the manifests (or keep a little sqlite db or something) and remove non-core library packages anytime a user deletes the last application which depends on it. Its not 100% easy stuff, but there are plenty of working examples, out there to lift concepts and perhaps even code from.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    25. Re: Poor Design... by Anonymous Coward · · Score: 0

      This guy gets it ^^^

    26. Re:Poor Design... by alex67500 · · Score: 1

      Great. Bloat your executables to hell. I guess that's why Keynote takes 600M on an iPhone, Word 400~ etc.

    27. Re:Poor Design... by Anonymous Coward · · Score: 0

      And great... now a 3rd party can inject code into any application!

      That fits really well with iOS's security model, right ;P

    28. Re:Poor Design... by Anonymous Coward · · Score: 1

      Just going to point out something you just said. Linux and BSD do it. So Apple can't why?

      Because they want a system that people can and will use. You know, unlike Linux and BSD.

    29. Re:Poor Design... by LordWabbit2 · · Score: 1

      It's a COM issue, and has existed since there was a registry. If you write a COM dll you will still have to deal with DLL hell. The problem hasn't gone away, it's just been replaced with .Net and the global assembly cache. In .Net you can still specify that you want your DLL to register for COM interop - rarely needed to do it, but sometimes you are working on ancient code and it's the only way for it to talk to a .Net dll.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    30. Re:Poor Design... by Keith+Russell · · Score: 1

      Or, it could be that some people were lazy and decided to use a crappy library? If you choose to use security by obscurity library 'x', is it Apple's fault when that security hole is discovered in your App?

      AFNetworking is MIT-licensed, FYI. You can look it up on Github.

      --
      This sig intentionally left blank.
    31. Re:Poor Design... by Anonymous Coward · · Score: 0

      What happens when an update comes out? Do you keep both versions? What happens if an app is incompatible with the new version?

      You pull the incompatible app for failing to comply with security policy.

      What if the old version is insecure, and the new version incompatible? Do you go for insecure-but-working, or broken-but-secure? What if the developer isn't around anymore to fix it?

      Sucks to be the user to see working apps pulled because the developer won't fix the problem. This is what you get for being in Apple's Walled Garden. Honestly, if this HTTPS bug allowed you to install pirated iOS apps, how quickly do you think Apple would pull all affected apps?

      Then there's security - if you come up with a way to do this, how do you isolate the data from one another? How do you keep the library (which has access to everyone's data) from accessing and passing around the information?

      A library isn't a server process. The data is isolated intrinsically to each app and each app has security policies that segregate each from the other. There's no inherent way to pass information around and if the library demands the privilege, well, ban that library from usage on the app store and ban any app that tries to statically compile it in.

      Perhaps a malicious update goes and accesses everyone's information then dumps it to another app for uploading?

      If a malicious update can do this, then the problem is with the update process. If Apple is signing off on the libraries, it's their responsibility to check the libraries for privilege violations. If Apple is accepting app updates from developers, it's their responsibility to check the updates for privilege violations. Again, this is all in the scope of Apple's Walled Garden and by its very nature Apple has put it upon itself to be the guardian of its own garden.

      Effectively, the only way is to statically link the library into each app - this way each app contains a library that works and is tested. But it also means developers are responsible for maintaining their apps.

      Which works just as well from a policy standpoint, but from a usability standpoint it's much easier on Apple's part to push developers to use shared libraries, update the shared libraries themselves, and then pull the (probably) few apps that break when shared libraries update and the developer doesn't release a fix.

      Again, if any of these bugs allowed pirated iOS apps to be installed... The very nature of Apple's Walled Garden is precisely that they can and should pull insecure/broken apps, whether they're insecure from a shared or static library or broken because of an Apple update or a lack of developer updates. To argue in any fashion that it's "hard" is irrelevant because Apple has put itself up to the task. This is the same reason why one can feel sympathy for DLL hell in Windows but have legitimate outrage when Linux distros break packages.

    32. Re:Poor Design... by BronsCon · · Score: 1

      On one hand yes, the developers should have updated their apps and submitted those updated versions as soon as the library was fixed and each of these apps would have been patched in 4-7 days. On the other hand, if Apple were managing a repository of libraries they could have updated the library in a matter of minutes.

      Sure, developers might have stupidly decided to statically link the library in their app despite it being available in Apples repository, and those apps would still have the same issue, but Apple would have gotten some good PR out of this, being able to point at all of the apps using the version in their repository and say "but these apps were all fixed within minutes, with no action from the developers". Who doesn't want that in their platform? Developers? We like not having to match security vulns ourselves; .Net is popular for a reason. Users? We like not having to rely on a developer who may have moved on to another project to eventually get around to fixing their app and we like not having to update our apps in the first place. Platform devs? I'm pretty sure they like being able to point at issues like this and say "my platform doesn't have that problem". So, I guess the answer to that question is nobody doesn't want that.

      Bad developers will always make stupid decisions, but that doesn't mean good developers can't offer them better solutions.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    33. Re:Poor Design... by BronsCon · · Score: 1

      What happens when an update comes out?

      You build it and add it to the repository.

      Do you keep both versions?

      Yes, you keep both in the repository. Some app might only be compatible with that version. That, of course, makes that particular app insecure, but your system is, overall, more secure than the current system. Of course, you only keep the libraries specified in the manifests of installed apps locally; there is no need to keep unused versions locally.

      What happens if an app is incompatible with the new version?

      Then you keep using the old version. That, of course, makes that particular app insecure, but your system is, overall, more secure than the current system.

      What if the old version is insecure, and the new version incompatible?

      Then you keep using the old version. That, of course, makes that particular app insecure, but your system is, overall, more secure than the current system.

      Do you go for insecure-but-working, or broken-but-secure?

      Insecure but working. That, of course, makes that particular app insecure, but your system is, overall, more secure than the current system.

      What if the developer isn't around anymore to fix it?

      Then you run into the same problem we have today. That, of course, makes apps using that particular library insecure, but your system is, overall, more secure than the current system.

      Then there's security - if you come up with a way to do this, how do you isolate the data from one another?

      The data belongs to the application, not the library. It shouldn't be too difficult to do nothing and let the data continue belonging to the application and not the library.

      How do you keep the library (which has access to everyone's data) from accessing and passing around the information?

      You don't, you don't need to, and your assumption is incorrect. The library gets linked into the application; it, therefore, has only the application's permissions and can access only what the application can access. The worst case is no worse than what we have today, where a malicious library can access data belonging to the app it is linked into and perform any actions that app can perform; the best case is that libraries with vulnerabilities can be patched and apps that are only compatible with versions of libraries with critical vulnerabilities can be pulled until they have been updated.

      Perhaps a malicious update goes and accesses everyone's information then dumps it to another app for uploading?

      This is why Apple would manage the repository of libraries (e.g. "You", in all of the examples above, would be Apple). It's also a non-issue, since the library gets linked into the application and, therefore, has only the application's permissions and can access only what the application can access. The worst case is no worse than what we have today, where a malicious library can access data belonging to the app it is linked into and perform any actions that app can perform; the best case is that libraries with vulnerabilities can be patched and apps that are only compatible with versions of libraries with critical vulnerabilities can be pulled until they have been updated.

      You'll see that I kept it simple by repeating a lot of my clauses, so you don't have to parse as much in order to understand how wrong you are.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    34. Re:Poor Design... by tepples · · Score: 1

      And great... now a 3rd party can inject code into any application!

      Only if Apple signs the updated library.

    35. Re:Poor Design... by Gr8Apes · · Score: 1

      Is Apple now responsible for all MIT licensed software on GitHub?

      --
      The cesspool just got a check and balance.
    36. Re:Poor Design... by Rosyna · · Score: 1

      The sensible way would be to do what every Linux distro has been doing for 20 years now. The "APP" includes a manifest of its dependencies. When you install it from the App store (remember Apple does not make side loads easy, unless you are developer in which case you can solve deps issue by having the required packages available) it simply goes an fetches the required libraries at the same time if you don't already have them.

      So then every developer would have to submit all the libraries they use separately so that they can be indexed and maintained? Who signs the libraries? How do they know Library A doesn't have a backdoor from Developer B when used in App C?

    37. Re:Poor Design... by Trillan · · Score: 1

      My apps, which use AFNetworking, are not vulnerable. Precisely because I avoided 2.5.1 because I saw that commit go by and didn't like the look of it.

  2. No... by Anonymous Coward · · Score: 0

    This isn't an iOS bug as the summary implies. It's a bug in AFNetworking - a 3rd party library.

    1. Re:No... by Rosyna · · Score: 1

      It's not even really a library (in the linking sense). It's just a set of source files you add to your project.

  3. Statistics by Anonymous Coward · · Score: 0

    The article says about 1000 apps have the flawed code (not 1500 as mentioned twice in the summary. The summary also makes it sound like these 1000 apps' developers are lazy bastards for not patching already, but the article points out that, of the 20000 apps they found using the library, 55% or about 11000 had never bothered to upgrade to the buggy version. Another 40% or 8000 use the bad version but don't use the code containing the flaw. Only 5% or 1000 apps use the bad code. So approximately 0% or 0 apps have upgraded to the fixed code. Maybe instead of blaming those thousand developers, there's another reason?

    While it takes Apple more than a week to approve an app on average, we have no information as to how long they are taking to approve apps that are trying to fix this bug. In other words, all 1000 apps' developers might have upgraded their code 3.4 seconds after the patch released, and still they'd have the flawed code in the version available in the app store.

    So let's refocus the discussion, and instead of talking about the pointless stuff in the summary, let's talk about what Apple needs to do to have a faster approval process for apps containing critical bug fixes. Any thoughts?

    1. Re:Statistics by Anonymous Coward · · Score: 0

      Sure. I could write some pointless app and sell it to somebody else who then submarines in a trojan and calls it a "critical bug fix". Approval processes shouldn't be bypassed. In other words, "your emergency is not my emergency" might be the correct policy to have.

    2. Re:Statistics by Anubis+IV · · Score: 4, Interesting

      So approximately 0% or 0 apps have upgraded to the fixed code. Maybe instead of blaming those thousand developers, there's another reason?

      Indeed there is. You must've glossed over it in the article, since the article makes it clear that the survey was conducted on the same day that the patch was announced, which means that developers hadn't yet had a chance to incorporate the patch, let alone submit an update to the app store. That's why 0% registered as being updated.

      [...] instead of talking about the pointless stuff in the summary, let's talk about what Apple needs to do to have a faster approval process for apps containing critical bug fixes. Any thoughts?

      iOS developers can already mark critical updates as being in need of an expedited review. Unless the expedited review process is taking too long—and there's no evidence as yet that this is the case (see above for why 0% isn't alarming)—then we're inventing a problem where one does not exist. Note how the article provides users with the ability to poll more recent data, yet they don't present any of that data. The conclusion we might reach is that the results of the later surveys were less than newsworthy, so they've chosen to selectively report on the parts that make for headlines.

    3. Re:Statistics by plover · · Score: 1

      They could maintain a list of third party library versions and identify versions of apps that link with them. But then what? As a user, I might not want Apple to shut off some random app I depend on -- just because they think it might be hackable doesn't mean my device is actually being hacked; and I might really need that app today for some important client presentation.

      They could contact impacted developers and request they repair the damage, but what can they do if nobody responds?

      Apple focuses on end user experience first. They won't want to inconvenience their users that much.

      --
      John
    4. Re:Statistics by Anonymous Coward · · Score: 0

      They could maintain a list of third party library versions and identify versions of apps that link with them. But then what? As a user, I might not want Apple to shut off some random app I depend on

      They don't need to, they just need to flag the app as potentially insecure and then let the user make an informed decision.
      The problem is that that would force the user to actually be informed and would break their image of "just works"
      People wouldn't be able to just pay extra to make technical issues be someone else's problem.
      Essentially they would lose their selling point over Android and just be overpriced with less possibilities.

    5. Re:Statistics by Anonymous Coward · · Score: 0

      iOS developers can already mark critical updates as being in need of an expedited review.

      Yeah, but then you have to deal with those passive-aggressive dev support lackeys who talk like they're doing you a favor, as if it wasn't their job.

  4. ~1500 App Developers wasted their time by GrahamCox · · Score: 3, Informative

    iOS has perfectly functional networking libraries and simple objects that provide an API to them. Why anyone would bother linking in a 3rd party library to replicate that functionality I can't understand. If a vulnerability were found in the iOS libraries, Apple could roll out an update and fix it overnight. As it is, that's ~1500 apps need to be revved.

    1. Re:~1500 App Developers wasted their time by Njovich · · Score: 0

      I don't know why you would say that it's good. Especially early in IOS history it was pretty annoying to write basic networking functionality like downloading and saving a file that's too large to keep in memory. The whole reason people used libraries like these is because Apples API weren't easy enough to use.

    2. Re:~1500 App Developers wasted their time by GrahamCox · · Score: 4, Insightful

      iOS 2.0 added NSURLConnection. iOS 7 added NSURLSession. Downloading chunks of data and saving them to a file is trivial with the latter, still pretty easy with the former. I'm not sure what you needed to do prior to iOS 2, but that's ancient history - I doubt anyone is still supporting back that far. Point is, using a 3rd party library today when there are straightforward classes to do it in Foundation that have been debugged already by Apple (and will continue to be so) is the only really sensible option. Even if you're writing cross-platform it's easy enough to create equivalent objects you can interface to that wrap other networking solutions on non-iOS devices.

    3. Re:~1500 App Developers wasted their time by Njovich · · Score: 1

      I think we are actually on the same page, I also never used networking libraries, but I can't blame people that did. NSURLConnection really was lacking.

      Yeah, it was all possible, but when you searched for IOS networking problems on sites like Stackoverflow for networking related issues, you would often get answers that just gave a couple of lines of AFNetworking code to fix something that was a PITA in NSURLConnection.

      If NSURLConnection really was that good, people wouldn't have bothered with libraries for basic tasks.

      As for NSURLSession. The fact is that a lot of apps were written prior to IOS7 and you can not expect everyone to rewrite networking code to a new API. I suspect a lot of the pretty small group apps of apps caught by this problem were simply written before that.

    4. Re:~1500 App Developers wasted their time by Anonymous Coward · · Score: 0

      AFNetworking uses Apple's classes. Most of what it does is wrap them to implement some more modern, terse and easy to maintain patterns and make things like functional reactive design easy. It also generally prevents bugs that many developers might otherwise introduce. I've done it both ways and I can assure you that although there is a learning curve to these design patterns, AFNetworking can help you write better code.

    5. Re:~1500 App Developers wasted their time by gnasher719 · · Score: 1

      ... and anything from iPhone 4 upwards can use iOS 7. There is practically no reason not to write for IOS 7 exclusively, since nobody with iOS 6 is going to buy any apps anymore.

    6. Re:~1500 App Developers wasted their time by 0xdeadbeef · · Score: 2

      iOS has perfectly functional networking libraries and simple objects that provide an API to them.

      Not for doing anything even the slightest bit complex. Like, for example, certificate pinning and certificate validation, which is what AFNetworking fucked up.

      Do you think Apple is better? The APIs are shit. They are horribly documented. They don't "just work" with the high level Objective C APIs, but require a lot of low-level tinkering. They don't perform revocation checks consistently.

      People use AFNetworking because the standard APIs are not good enough. I would have been using it had I not already rolled my own wrappers long before AFNetworking had the features I required. The average iOS developer cannot do that.

    7. Re:~1500 App Developers wasted their time by tlhIngan · · Score: 1

      I'm not sure what you needed to do prior to iOS 2, but that's ancient history - I doubt anyone is still supporting back that far

      You did nothing. You couldn't write apps for iPhone OS 1.x because iPhone OS 2.0 introduced the app store. So unless you jailbroke, you only wrote apps against iPhone OS 2.0.

    8. Re:~1500 App Developers wasted their time by jittles · · Score: 1

      ... and anything from iPhone 4 upwards can use iOS 7. There is practically no reason not to write for IOS 7 exclusively, since nobody with iOS 6 is going to buy any apps anymore.

      As of February of this year, all new app releases MUST target iOS 7 or higher as well as support 64 bit

    9. Re:~1500 App Developers wasted their time by Anonymous Coward · · Score: 0
      https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html

      We analyzed roughly 10,000 applications from the Google Play store. This was a random sample of free applications. Roughly 4,000 (40%) use trust managers that do not check server certificates, exposing any data they exchange with their servers to potential theft. Furthermore, around 750 (7%) applications use hostname verifiers that do not check hostnames, implying that they are incapable of detecting redirection attacks where the attacker redirects the server request to a malicious webserver controlled by the attacker. Finally, 1,300 (13%) do not check SSL errors when they use Webkit.

      Case Studies (Applications rendered vulnerable due to vulnerable libraries)

      Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality.

      Flurry. Flurry is the number-one ranked ad library in the market used by 9,702 out of 70,000+ Google Play apps with 50,000 or more downloads. These applications have been downloaded over 8.7 billion times. As with many ad libraries, Flurry (prior to version 3.4) uses HTTPS with a vulnerable trust manager to upload information like device IMEI and location.

      In a proof of concept for an MITM attack, we successfully used a vulnerable version of Flurry to capture the information sent to the remote server https://data.flurry.com./ We successfully matched the location of the simulation device against the data being sent by Flurry. In Figure 2, we show a hexdump of the data we captured during this MITM attack.

  5. Blame Apple. by Anonymous Coward · · Score: 0

    They're the ones who created this situation in the first place.

    Every year we're seeing new devices with new screen sizes and new versions of iOS that require things to be built slightly differently then before, targeting a new SDK that inevitably requires source level changes to be fully compatible with. At the same time, they're constantly outdating the former SDKs and versions of Xcode in an attempt to force developers to upgrade their apps, because if they don't- then the users start complaining about the black bars on their screen because the app isn't optimized for whatever whacky resolution Apple decided to go with this year.

    The net result of all of this is that it costs a phenomenal amount of time and money to continue supporting iOS applications on the app store. You can't just submit something and keep it up to date, supporting whatever versions of the hardware you originally ran on and running in a compatibility layer on anything newer- eventually Apple will force you to upgrade your app to support everything new again. Since Apple won't remove an older app from the app store (unless it's flat out crashing or refusing to work at all), most developers opt to simply "abandon" their iOS apps instead, leaving them up on the store in the state that they were before Apple told them that they'd have to overhaul the entire thing just to submit a minor update.

    So it's partially the developers fault for being lazy and using AFNetworking in the first place, but it's more Apple's fault for making it so damned difficult (if not impossible) to submit a minor update without being sucked into redoing everything under a new version of Xcode instead.

  6. missing the words OPEN SOURCE in the title by Anonymous Coward · · Score: 0

    Lets not let people know it is an OPEN SOURCE Library, shall we.

    1. Re:missing the words OPEN SOURCE in the title by kthreadd · · Score: 1

      Nowadays that's more or less the default scenario.

    2. Re:missing the words OPEN SOURCE in the title by ledow · · Score: 1

      I'm sorry... were you under the impression that people have ever claimed that open-source means you can't get any bugs in it?

      Then you're an idiot.

      But don't let us stop you spreading your misinformation based on a complete misinterpretation of other people's statements about open-source code.

      (P.S. You can't stop bugs in any code. But if this was a closed-source library, probably the only people who would ever know about it, see the buglist, would be able to fix it etc, would be the people who wrote it.)

    3. Re:missing the words OPEN SOURCE in the title by acoustix · · Score: 1

      Why does it need to be in the title? It's in the summary.

      --
      "A plan fiendishly clever in its intricacies"- Homer Simpson
  7. Re:Die fanboi. by MobileTatsu-NJG · · Score: 2

    Oh, Noes! My Apple is far safer than anything. Steve told me so.

    What's funny is that Fandroids are so hostile to everybody else that right now Google is running ads showing animals getting along with other animals. It's hard to take you seriously when your own overlord is telling you to reign it in.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  8. Optimal Default Conditions by Etherwalk · · Score: 0

    Does Apple have to sign and push the 3rd party shared library itself? That would be the only safe solution I can think of, because otherwise you're giving apps the ability to modify each others' code, which is clearly a recipe for potential abuse. Apple can't realistically take the responsibility for monitoring, compiling, and pushing updates for third-party libraries, which would be nearly impossible to do in practice. Alternatively, there's no way Apple could allow the apps themselves to update the shared libraries, because then a single app could break or even hack thousands of other apps with a bad update. Delegating that authority to a third-party (like the library developer) is equally problematic, because there's no way for them to properly test any changes before pushing them, and the potential for abuse still exists.

    DLLs make a lot of sense for shared systems libraries, but as far as third-party libraries, they'd be a practical nightmare.

    Not at all; a developer is making a decision to trust a third-party when he incorporates the third-party library into his app. So long as you allow a developer to flag his app as needing to rely on an older version, the benefits would significantly outweigh the risks. Notably, even *IF* one party were to use a library to hack all those apps, you could still fix it in one place rather than having a vulnerability in every app for a year.

    You would have to make strict standards for what behavior libraries can change to fall under this shared model, to minimize the likelihood of breaking any programs, but it's a LOT better to default to "secure even though 1 in 100 apps that both needs an old library and has a developer who failed to flag it as needing an old library has problems until fixed" than it is to "1500 apps insecure, with no timetable for securing."

    1. Re:Optimal Default Conditions by Anonymous Coward · · Score: 1

      You are reaching ridiculous levels to try and justify your belief that somehow this is all Apple's fault and that they should have engineered their system better.

      This is the App author's responsibility, nobody else's. They took a decision to use a third party library rather than use whatever tools or libraries Apple provides. It is, however, easy for them to do the update - simply link against the new library and re-publish to the app store.

    2. Re:Optimal Default Conditions by Gr8Apes · · Score: 2, Insightful

      Not at all; a developer is making a decision to trust a third-party when he incorporates the third-party library into his app.

      And there's your answer - it's the developer's decision, much like if they wrote their own crappy code. It's not Apple's problem. The true headline should be "Companies X, Y, Z produced insecure apps - don't use these"

      --
      The cesspool just got a check and balance.
    3. Re:Optimal Default Conditions by BronsCon · · Score: 1

      I don't think he was saying it was Apple's fault, just that Apple didn't prevent it. There's a huge distinction. I mean, anyone posting here was alive on 9-11-2001 and none of us prevented it; are you saying we all caused it? I mean, it's true that if we had all done things a little differently, it could have been prevented, right?

      The fact is that Apple could have implemented a system that would have at least made this an avoidable situation. Of course, it wouldn't have stopped developers from statically linking this or any other library, leading to the same problem, but it would have made it much less likely. It is, however, Apple's fault that the current situation was the only option; the headline could have, instead, read "App Developers Not Using Apple's Security Measures, Creating Vulnerable Apps", which would read as a good bit of PR for Apple and bad press for those developers, whereas the current situation has people pointing the finger at both sides.

      As far as which is the better technical decision, that's a debate that will continue indefinitely. For marketing purposes[1][2], offering a signed repository of libraries would have protected Apple's interests in this instance, even if it didn't prevent developers from statically linking this library.

      [1] And what is Apple, really, if not a marketing firm that just happens to produce some electronic devices?
      [2] Don't get me wrong, I quite enjoy my 2 MacBook Pros, iPad, and 3rd gen iPod, but let's not delude ourselves by thinking they're really better than the competition and anything but marketing.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  9. And you thought 1500 apps is bad? by Skinkie · · Score: 1

    What about every app that does a HTTP gets the wrong content-type? http://stackoverflow.com/quest...

    --
    Support Eachother, Copy Dutch Property!
  10. Find those 1500 apps by fulldecent · · Score: 1

    Is there a way that I can download en masse apps on the app store to find which libraries they contain and perform other analysis of them?

    --

    -- I was raised on the command line, bitch

  11. Re:Die fanboi. by BronsCon · · Score: 1

    Oh, I get along with Apple users just fine. I am one, along with my wife, my best friend, and his wife. I'm the only one out of the group who uses an Android phone, but I'm very happy with both of my MacBook Pros, my iPad, and my iPod. What I can't stand, and I feel this may be the case for most Android users, is the type of idiot who fully buys into the "Apple made it so it's perfectly secure" marketing bullshit.

    For reference, I'm not the AC you were replying to. I can tell, however, that the target of their attack is precisely the type of idiot I mentioned, and not the intelligent Apple users who realize that anything can be made vulnerable; the question is, which are there more of? It's hard to say, since the idiots are so vocal.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  12. Remove the app by tepples · · Score: 1

    In other words, all 1000 apps' developers might have upgraded their code 3.4 seconds after the patch released, and still they'd have the flawed code in the version available in the app store.

    A responsible developer would accept responsibility, remove the vulnerable version of the app entirely from the App Store, and accept making zero sales until Apple finishes reviewing the new version.

  13. iPod touch 4 doesn't have enough RAM for iOS 7 by tepples · · Score: 1

    anything from iPhone 4 upwards can use iOS 7

    Except for the iPod touch 4, which doesn't have enough RAM to run iOS 7.