Apple Mends App Store Holes

Tuesday, March 12, 2013 @ 02:03 PM gHale

Apple just now fixed App Store security issues that first arose last summer.

A Google researcher working on his own time discovered in July 2012 Apple was serving up data over an unencrypted HTTP connection, leaving its Apple App Store customers open to attacks from anyone using the same public network. Six months later, the company finally flipped on the encryption.

One More iPhone Bug Found
Developer Site Zero Day Attack Source
Apple Working on Fix to Update
Apple Updates iOS

“I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users,” said Elie Bursztein in a blog post.

A log of Apple Web Server notifications showed on January 23, HTTPS was the default for serving active content. The company credited Bursztein, Bernhard “Bruhns” Brehm of Recurity Labs and Rahul Iyer of Bejoi LLC for reporting the issue.

In Bursztein’s blog post, he outlines the numerous ways someone could intercept communications by using the same public wireless network as a user to steal passwords, download apps, which could be costly given some run as much as $999, and prevent the user from installing other apps or upgrades. The security flaw also allowed cybercriminals to scan data stored within existing apps on a device and trick a user into downloading a fake app upgrade.

Personal data also was easy to breach with the prior unsecured connection.

“When contacting the upgrade server, the device sends in the clear a PList that contains all the applications installed on the phone. This is a privacy leak as it allows an attacker to know which bank/doctor/services the user uses,” Bursztein said. “It can also allow an attacker to track users, as a list of installed applications is pretty unique to each user (it seems likely that it will generate more than the 31 bits of entropy needed to uniquely identify a user.)”

Burzstein said he decided to go public with the attacks after the fix was in place in the hope that other developers, especially those devoted to mobile devices, will be more security minded.

“Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication,” Burzstein said. “Please don’t let your users down and do the right thing: Use HTTPS!”

Leave a Reply

You must be logged in to post a comment.