Apple has fixed several App Store security issues that first arose last summer, but it hasn’t explained why it took so long to start encrypting communications using public Wi-Fi networks.
A Google researcher working on his own time discovered in July 2012 that Apple was serving up data over an unencrypted HTTP connection, leaving its Apple App Store customers open to attacks from anyone using the same public network. Six months later, the company finally flipped on the encryption.
“I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users,” Elie Bursztein wrote in a blog post Friday.
A log of Apple Web Server notifications shows that on January 23, 2013, active content was now served over HTTPS by default. The company credited Bursztein, Bernhard “Bruhns” Brehm of Recurity Labs and Rahul Iyer of Bejoi LLC for reporting the issue.
In Bursztein’s blog post, he outlines the numerous ways someone could intercept communications by using the same public wireless network as a user to steal passwords, download apps — which could be costly given some run as much as $999 — and prevent the user from installing other apps or upgrades. The security flaw also allowed cybercriminals to scan data stored within existing apps on a device and trick a user into downloading a fake app upgrade.
Personal data also was easy to breach with the prior unsecured connection.
“When contacting the upgrade server, the device sends in the clear a PList that contains all the applications installed on the phone. This is a privacy leak as it allows an attacker to know which bank/doctor/services the user uses,” Bursztein said. “It can also allow an attacker to track users, as a list of installed applications is pretty unique to each user (it seems likely that it will generate more than the 31 bits of entropy needed to uniquely identify a user.)”
Burzstein said he decided to go public with the attacks after the fix was in place in the hope that other developers, especially those devoted to mobile devices, will be more security minded. “Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication. Please don’t let your users down and do the right thing: use HTTPS!”