Multipeer Connectivity on iOS 9
The issue was that an attacker on the network could downgrade the encryption level of a Multipeer Connectivity session configured with
MCEncryptionNone (ie. plaintext communication), even if authentication was enabled.
Apple did not fix the core issue with
MCEncryptionOptional, as it would require significant changes to the implementation, in order to have each peer validate the security settings exchanged during the handshake after authentication is performed.
However they changed the default encryption level (used when the App does not explicitly specify one) from
MCEncryptionRequired, which is not vulnerable to the downgrade attack. Overall, this change should protect most Apps, but the ideal solution would have been to remove