Apple Finally Fixes App Store Vulnerabilities

Apple has fixed several App Store security issues that first arose last summer, but it hasn’t explained why it took so long to start encrypting communications using public Wi-Fi networks.

Apple has fixed several App Store security issues that first arose last summer, but it hasn’t explained why it took so long to start encrypting communications using public Wi-Fi networks.

A Google researcher working on his own time discovered in July 2012 that Apple was serving up data over an unencrypted HTTP connection, leaving its Apple App Store customers open to attacks from anyone using the same public network. Six months later, the company finally flipped on the encryption.

“I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users,” Elie Bursztein wrote in a blog post Friday.

A log of Apple Web Server notifications shows that on January 23, 2013, active content was now served over HTTPS by default. The company credited Bursztein, Bernhard “Bruhns” Brehm of Recurity Labs and Rahul Iyer of Bejoi LLC for reporting the issue.

In Bursztein’s blog post, he outlines the numerous ways someone could intercept communications by using the same public wireless network as a user to steal passwords, download apps — which could be costly given some run as much as $999 — and prevent the user from installing other apps or upgrades. The security flaw also allowed cybercriminals to scan data stored within existing apps on a device and trick a user into downloading a fake app upgrade.

Personal data also was easy to breach with the prior unsecured connection.

“When contacting the upgrade server, the device sends in the clear a PList that contains all the applications installed on the phone. This is a privacy leak as it allows an attacker to know which bank/doctor/services the user uses,” Bursztein said. “It can also allow an attacker to track users, as a list of installed applications is pretty unique to each user (it seems likely that it will generate more than the 31 bits of entropy needed to uniquely identify a user.)”

Burzstein said he decided to go public with the attacks after the fix was in place in the hope that other developers, especially those devoted to mobile devices, will be more security minded. “Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication. Please don’t let your users down and do the right thing: use HTTPS!”

 

Suggested articles

Apple Patches KRACK Vulnerability in iOS 11.1

Apple has patched the KRACK vulnerability in iOS and elsewhere in its product line, closing a key re-installation vulnerability in the WPA2 protocol implemented used by its software.

Threatpost News Wrap, September 29, 2017

The macOS Keychain attack, Signal’s new private contact discovery service, the Deloitte hack, and a handful of mobile stock trading app vulnerabilities are discussed.

Gatekeeper Alone Won’t Mitigate Apple Keychain Attack

Apple said that macOS’ native Gatekeeper security feature would protect against a Keychain attack disclosed this week, but researcher Patrick Wardle said that won’t help against Mac malware signed with an Apple certificate.

Discussion

  • Anonymous on

    The security flaw also allowed GOVERNMENTS to scan data stored within existing apps on a device and trick a user into downloading a fake app upgrade. The logical extension of that is they had to wait until selected spooks and law enforcement got their end updated first before shutting everyone else out.
  • Reza Toopchi on

    Hi there I am not a professional user & could`nt fight trojans. could U please help me to know what the trojan name is ?I supose it makes the secound HDD layer.Also makes threads for everything even DNS.Apparently nobody beleives me.sometimes I think I am crazy because it is very smarter than me(my IQ score was 136-138 before). maybe she! is an ET or a JINN being!! Maybe I do`nt know anything about virus advantages.forgive me because of my mistakes . English is not my native . SINCERELY REZA T.
  • rgrein on

    Hmm, that's a little paranoid - and unnecessary. NSA already snarfs up all net traffic, what additional information do they need from your app downloads?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.