We already meet Will Strafach, back when we talked about Meitu. Among other ventures, Strafach runs verify.ly service, a database of mobile apps that you can use to find out which type of your confidential data those apps use. Thus he uncovered 76 iOS apps that although using Apple’s ATS (“App Transport Security”) they can be fooled into using an unprotected connection. ATS is an iOS 9 feature that should force all apps to use HTTPS protocol instead of the less secure HTTP. The caveat is that hackers can sniff the connection while the app transfers data to the server and get them. Besides, technically it’s not an Apple bug, so programmers in Cupertino can do very little.
Strafach sorted those 76 apps based on their risk, publishing on his Medium blog the list of the low-risk ones since the information that could be sniffed are petty things (such as device info, or login credential with no password included). The 43 remaining apps are deemed medium to high risk since they allow for entire login token sniffing, or bank or medical data. Strafach won’t publish this list before contacting banks, medical centers and more broadly their developers.
In the low-risk apps list, we find many about Snapchat (and back in March 2016 Strafach warned that their platform was “un-secure”), a QR- and barcode app, some VPNs and a couple of banking apps.
Two simple suggestion to be a little be more protected: use a VPN (beware of those who claim to be safe and are scam instead), or as a fallback use your smartphone data connection: yes, anyone can still tap in, but it’s more complicated.