

1,500 iOS apps have HTTPS-crippling bug - simas
http://arstechnica.com/security/2015/04/1500-ios-apps-have-https-crippling-bug-is-one-of-them-on-your-device

======
NateLawson
Hi, I'm the founder of SourceDNA. I'm happy to answer questions here.

It's difficult to track which 3rd-party libraries your apps include,
especially in a large company and across acquisitions. If one of those
libraries is vulnerable, how does its vendor (or open-source author) find the
relevant developers and notify them?

At SourceDNA, we're constantly indexing mobile apps and analyzing their code.
On March 30th, we were able to look up which apps use AFNetworking (over 100k
in the whole store), select those which were updated recently (20k), and then
list which ones had the vulnerable code (AFNetworking 2.5.1, about 1,000
apps).

We just finished an update scan yesterday to see how well developers have been
fixing this flaw. We were shocked to find that while 250 apps have been
patched, the total number of vulnerable apps has risen to 1,500! Our theory is
that these apps were being updated for other reasons and the development cycle
is slow enough that the flawed code from Feb-March is just now appearing in
recent releases.

We're offering a service to developers. Sign up with your email and we'll
monitor your apps for you and notify you of flaws like this, as well as how to
fix them. It is extremely low noise since we only tell you about flaws that
affect your own code.

Check it out and I'd love your feedback:
[http://searchlight.sourcedna.com](http://searchlight.sourcedna.com)

