Tag: Apple security

Security flaw discovered that could impact Apple’s mobile payments service

Apple Watch has a flaw that could leave some consumer information exposed

A security flaw has been discovered on the Apple Watch concerning Apple’s mobile payments service. Apple Pay has become quite popular among iOS users, receiving praise for being secure and convenient. On the new iPhone, consumer financial information is kept secure thanks to biometric technology. Those wishing to make a mobile transaction through Apple Pay on an iPhone must scan their fingerprint before they can do so. This feature is absent from Apple Watch, however.

Watch uses skin contact as a protection method

Apple Watch is not equipped with a fingerprint scanner, so must rely on other security solutions in order to keep consumer information safe. GadgetHacks recently posted a video to YouTube that highlights a security flaw. Though Apple Watch does not use a fingerprint, it must maintain contact with a user’s skin, otherwise the device will be locked until they input their password. This is meant to protect the device, but the security flaw has to do with the amount of time it takes for the device to register that it is no longer in contact with human skin.

Simple flaw in sensors could give thieves access to someone’s mobile payments accounts

Mobile Payments - Apple SecurityAccording to GadgetHacks, it takes about a second before the device detects that it has no contact with human skin. This means that someone could steal Watch and simply place their finger on the sensor in order to avoid it being locked. The sensor cannot tell the difference between the skin on the wrist and the skin on the finger. While this may not seem like a major problem, those that manage to steal the device and exploit this flaw could have access to consumer information, including their mobile payments accounts.

Apple may not feel the need to address security flaw

Apple has been careful to ensure that its mobile payments service is as secure as possible. The company has managed to succeed in this endeavor quite well, but absolute security can be an impossible task to accomplish. Whether or not Apple will address the security flaw with the Watch device is unknown. The flaw may be considered so minor that it does not require any significant attention from the company.

Huge mobile security vulnerability may exist in iOS apps

1,500 applications could be open to hackers as a result of outdated code that they continue to contain.

Analytics company, SourceDNA, has identified a mobile security bug that likely still exists in about 1,500 apps that could open up these iOS App Store applications to “man in the middle” attacks.

The problem exists in the way that the iOS apps create secure connections with servers.

The reason is that this connection that is established has a bug in it. This means that a mobile security exists in that anyone who intercepts the data being transmitted from an iPhone or iPad would be able to access the login names, passwords, and a number of other forms of private information that could be sent by way of the HTTPS protocol. When SourceDNA discovered the bug, it reported that among the companies that have kept the outdated code in at least one of their iOS apps were: Microsoft, Yahoo, Uber, and Citrix. This means that millions of Apple device users could have their privacy threatened if the wrong person should choose to attack.

This type of mobile security threat makes it possible for an attacker to take hold of data on the device.

Mobile Security - iOS AppsThis is because attacks through a “man in the middle” vulnerability opens the device up to a fake WiFi hotspot in order to be able to intercept data contained in devices that have connected to it. Typically, this sort of attack, which are also frequently called “coffee shop hacks”, isn’t possible because those artificial hotspots don’t have adequate security certificates. However, the bug that has been found in the iOS apps has stopped those applications for properly checking for those certificates.

The origin of the bug was in the AFNetworking open-source networking code which has been used in the development of thousands of different apps in order to allow them to connect to servers. The code’s 2.5.1 version was originally introduced in January and it had the bug within it which allowed the connections to occur without checking for HTTPS mobile security certificates. There has since been a corrected 2.5.2 code introduced, but there remain about 1,500 apps at the iOS App Store that have yet to update.