Error in AFNetworking code allows to intercept user HTTPS traffic

    A critical vulnerability was found in one of the most popular network frameworks on iOS and OS X systems. AFNetworking , namely version 2.5.1, turned out to be the target of specialists from Minded Security .

    image

    In the evaluateServerTrust method (AFSecurityPolicy.m file), the SSL certificate validation logic occurs.
    - (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust
          forDomain:(NSString *)domain
    {
      NSMutableArray *policies = [NSMutableArray array];
      if (self.validatesDomainName) {
         [policies addObject:(__bridge_transfer id)SecPolicyCreateSSL(true, (__bridge CFStringRef)domain)];
      } else {
         [policies addObject:(__bridge_transfer id)SecPolicyCreateBasicX509()];
      }
      SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)policies);
      if (self.SSLPinningMode != AFSSLPinningModeNone &&
     !AFServerTrustIsValid(serverTrust) && 
    !self.allowInvalidCertificates) {
       return NO;
     }
     NSArray *serverCertificates = AFCertificateTrustChainForServerTrust(serverTrust);
        switch (self.SSLPinningMode) {
            case AFSSLPinningModeNone:
                return YES;
    


    By default, SSLPinningMode is set to AFSSLPinningModeNone, which completely disables certificate verification. This makes SSL MITM possible .
    This framework is quite popular. It is used by applications such as Pinterest, Heroku, Citrix OpenVoice Audio Conferencing, Alibaba and others.

    After the details of the vulnerability were published, checks of other applications from AppleStore were carried out. The results are disappointing. 1,500 applications were running a leaky version of AFNetworking.
    Next, a service was launched to check applications for vulnerabilities: searchlight.sourcedna.com/lookup
    In version 2.5.2, the bug is partially closed, but there is still a certificate validation bypass due to a lack of host verification.

    Related Links:
    SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production!
    1,500 iOS apps have an HTTPS-crippling bug. Is one of them on your device?
    AFNetworking on Habré

    Also popular now: