Just over a week ago, Ars Technica posted an article on how a Critical HTTPS bug may open 25,000 iOS apps to eavesdropping attacks. If you are a customer of our mobile eReader product, DL Reader, or a user of DL Reader, you may have wondered if your app was one of those 25,000. After careful analysis, we wanted to give you an update on this subject.
Short answer is, no, DL Reader is not affected!
Long answer: details about the SSL vulnerability were originally published by the security research company, SourceDNA. iOS apps leveraging a popular open-source library called AFNetworking were reported to be susceptible to a particular type of attack that could expose data sent over the network. Although it was originally stated that all versions of AFNetworking prior to 2.5.3 were open to the attack, this was later revised to exclude AFNetworking 1.x.
So where does DL Reader fit into this?
DL Reader does incorporate AFNetworking 1.3.4. Therefore we don’t believe that DL Reader is affected. If your apps are built with a later version, you will need to verify your app, perhaps using the tool provided by SourceDNA. DL Reader was initially erroneously listed as one of the 25,000 vulnerable apps, but was later upgraded to “not vulnerable” once it was clarified that the attack only affected AFNetworking 2.x.
Furthermore, although AFNetworking is enabled for DL Reader, it is deployed only with the eSync cloud capabilities that is built in our app to demonstrate the potentials of the reader apps. This feature is disabled in our branded-readers and likely disabled by customers who develop readers based on the DL Reader.
To sum up, our eBooks team has been tracking this issue closely since the news first broke on Ars Technica. Our initial assessment determined that DL Reader has minimal exposure, if any. We then took actions to conduct more comprehensive research to clear the confusion of the affected AFNetworking versions, and, to evaluate our options should the threat exists in the version used in DL Reader. Now that AFNetworking 1.x has been cleared, we are happy to report that DL Reader was never vulernable to this particular threat. We will continue to vigilantly monitor any security venerability reports in the future. For now, we will not make any changes to DL Reader to maintain its stability.
If you have any questions or concerns, please contact us at firstname.lastname@example.org.