AFNetworking has a flaw which allows attackers to spoof SSL servers. The vulnerability exists because the default value for AFSecurityPolicy.validatesDomainName
is not set to Yes
. Therefore, it does not perform verification of a server hostname against the domain name in the subject’s Common Name (CN) of the X.509 certificate.