On Friday, Apple announced a significant security flaw affecting literally hundreds of millions of iPhones, iPads and iPod Touches running iOS 7, the latest version of the company’s mobile operating system.
Baked into the system was a flaw that allowed an attacker, under certain circumstances, to intercept and read in plain sight traffic the users thought was encrypted via Secure Socket Layer technologies. That would include email, tweets, Web browsing and, potentially, mobile banking sessions that occur within the Web browser.
Mark Bower, a vice president at Voltage Security, elaborated: “For quite some time, attackers with knowledge of this bug had the ability to mount man-in-the middle attacks to users operating Apple devices. This could have allowed interception or modification of SSL communications which are supposed to be private and encrypted.”
Experts appear divided as to whether this flaw also impacted traffic via apps, such as mobile banking apps.
On Friday, Apple issued a patch that it said fixed the problem on iPad, iPhone and iPod Touch.
However, the company also indicated that a related flaw exists in its OS 10 operating system for desktop and laptop computers. No patch has been issued so far, although Apple has indicated that one is imminent.
Note, too, the SSL attack can occur only when the hacker has control over a WiFi network (typically a public network) or has erected a rogue cellular network (technically doable but sophisticated and rare). This requires significant skill on the part of the attacker, said experts.
Users who never access public WiFi probably have nothing to fear, said most experts.
Experts also, unanimously in this reporter’s poll, urged Apple mobile device owners to download the security patches as soon as possible.
Experts also suggested that financial institutions such as credit unions alert their members who use Apple devices to the need to download the patch, which is free.