Although iOS is endowed with security recognized in the market as far superior to other operating systems, part of this question remains under the responsibility of third parties, mainly developers, important in creating and maintaining the applications and online services used daily by hundreds millions of people.
Apple is trying to help with setting minimum controls (such as the Transport Security App, or ATS, discussed earlier), but there are still risks that are often overlooked by the community.
One of the most extreme is related to the security of communications between applications and their respective services on the Internet, one of the issues that requirements such as ATS should inspire developers to comply with best practices. However, this is not what experts are seeing: a recent study published by Will Strafach warns of several popular applications that are susceptible to communication interception vulnerabilities, even protected by security methods, using Transport Layer Security (TLS).
Strafach saw the scenario while developing verify.ly, a subscription product that aims to support developers in analyzing their applications for various vulnerabilities. In its work, 76 different company binaries are listed. Altogether, more than 18 million users are affected by using them daily, especially some applications that manipulate Snapchat credentials, for example.
In the last edition of the Worldwide Developers Conference (WWDC), in June last year, Apple expressed the expectation of making the use of ATS mandatory earlier this year, which was postponed in December and there is no expectation of a new deadline. However, even observing its best practices, adopting ATS in its current state does not mitigate the risks raised by Strafach, as poorly configured code still capable of making iOS validate certain connections subject to interception as valid, something that probably should have motivated the postponement of plans. from Apple.
For users, escaping these problems still depends on adhering to practices that have been little adopted and that also present risks of being ineffective, such as joining a VPN service or avoiding browsing public Wi-Fi networks. In the end, the best solution should come from third-party developers, who increasingly need to be clear about the importance of adopting in-depth security in their processes and in the design of their products.