An Analysis of Strengths and Weaknesses of TLS Utilization in iOS Applications

Mobile applications are granted access to large amounts of data both stored and sensed on a user’s device. While the data stored on these devices can be protected with encryption, where the private keys are protected through a combination of biometric authentication and passcodes, it is important to consider the security of data in transit and the many connections applications make to different domains. Often, these domains are unknown to the user where they can include third-party domains and tracking services. In this paper, we investigate the current state of transport layer security (TLS) utilization across the top information sharing applications in the iOS App Store. Through this study, we are able to better understand which domains follow best practices and use recommended ciphers and TLS versions. We also provide deeper insight into the prominent use of tracking services and how they differ in their utilization of TLS. Our study utilizes a proxy service to detect the domains that applications communicate with and then uses OpenSSL to analyze the supported ciphers, TLS versions, and certificate details. We also leverage domain analysis from DuckDuckGo Tracker Radar to differentiate tracking domains. From this study, we analyzed 965 unique domains and found that 935 (96%) use a cipher that is not recommended and only 23 (2%) of the domains strictly followed recommendations on cipher and TLS utilization. While most domains are utilizing recommended versions of TLS and recommended ciphers, this study shows there are many that still support vulnerable versions of TLS and vulnerable ciphers, leaving the user’s data at risk.