Last week, a number of publications ran a story about 1,000's of apps allegedly being vulnerable due to an SSL bug in AFNetworking. These articles contain a number of inaccurate and misleading statements on this matter.
We are publishing this response to clarify and correct these statements.
For those not familiar with AFNetworking, here are some relevant details about the library for this story:
- AFNetworking is an open source, third-party library that provides convenience functionality on top of Apple's built-in frameworks.
- One component of AFNetworking is
AFSecurityPolicy, which handles authentication challenges according to a policy configured by the application. This includes the evaluation of X.509 certificates which servers send back when connecting over HTTPS.