Thought a quick throw back to the great southern philosopher Lewis Grizzard would be nice looking at this latest revelation. It would seem that many IOS developers have made a grave error in not upgrading the AFNetwork code to the current level. Because of this some 1500+ IOS apps will easily divulge information – passwords, secure keys, etc. using very basic MITM attacks or proxies. A team of security researchers found the error in some investigations they were conducting. This one is going to create some flurry of developer activity getting it all squared away and tested properly.
But why does any of that really matter? Should I be worried? One of the apps that falls to this is the Microsoft Exchange connector inside of the IOS mail app. This one could be very problematic for the enterprise. Several months ago, looking at the security or lack thereof for folks using unsecured hotel Wi-Fi systems. I built out a test bed to work on the ideas of how dangerous these Wi-Fi connections really are. Most end users don’t have a skeptical side, they just want to connect their devices, get the email, surf the web, and post their updates. The security of the connection is something that rarely causes them a second thought. If the end user devices are left with their defaults intact, they will repeatedly try to connect to known access points. Using some very lovely tools like those from PWNIE EXPRESS, or Easy-Creds, or a roll-your-own-kit on kali you can create a very robust tools set to test out these concepts.
Using Wi-Fi connections that I knew were saved on some IOS devices I was able to capture both user name and password for Active Directory\Exchange accounts. This was easily reproducible on several IOS devices. So the bottom line becomes, if you have an IOS device that will automatically connect to saved Wi-Fi connections, and you use Microsoft Exchange connected email on the device, you risk being compromised already. The best solution is force the IOS device to ask before any Wi-Fi connections. And know what Wi-Fi you should be connecting to. Second, would be a private VPN to secure the network traffic, if you do wind up connecting to a bogus network.