HTTP 301 Redirections Lead to Trouble for Mobile Apps

Attackers can exploit a caching weakness in mobile applications by forcing a permanent HTTP 301 redirection that will persistently serve a hacker’s content to a mobile app.

Thousands of mobile apps developed for the Apple iOS platform can be forced to display phony, even malicious content, because of a vulnerability that allows an attacker to redirect traffic to a third-party site and persistently serve content from that location.

Researchers from Israeli mobile company Skycure were scheduled to present the details of their findings today during a session at RSA Europe in Amsterdam.

The attack, dubbed HTTP Request Hijacking (HRH) requires that an attacker carry out a man-in-the-middle attack over an open Wi-Fi connection. Once the attacker positions himself, he can capture HTTP requests and redirect them via a HTTP 301 redirection, or a server-side 301 Moved Permanently request. This request is cached by the mobile application and once the user opens the vulnerable app again, it will connect with the attacker’s server and not the intended website.

“While the 301 Moved Permanently HTTP response has valuable uses, it also has severe security ramifications on mobile apps, as it could allow a malicious attacker to persistently alter and remotely control the way the application functions, without any reasonable way for the victim to know about it,” wrote Skycure CTO Yair Amit in a blogpost.

HRH doesn’t pose the same risk on desktop browsers because the URL in the address bar would change and could be noticed by the user. Mobile applications don’t generally display the site to which they connect, keeping the clandestine connection secret, Amit said.

HTTP 301 responses are used for permanent webpage redirections. Sites that move to new domains use 301 redirects, as do sites that can be accessed via slightly different URLs; one is selected as the canonical destination, according to a Google support doc, while the others will redirect to that URL using a 301 response.

The problem in this attack, Amit said, is that the mobile app keeps the 301 response in cache and permanently connects to the attacker’s web server. That server can then drop any content into the app, including links to malicious sites.

Amit said they have a proof of concept that works on iOS, but since this is a rather generic attack, it could work against other mobile operating systems.

“We went on to test a bunch of high profile applications, and were amazed to find that about half of them were susceptible to HRH attacks,” Amit said. “Focusing on leading app store news apps, we found many of them vulnerable and easy to exploit.”

Amit added that the while the attack works quite well against unencrypted sessions, it also can be mounted against HTTPs traffic.

“It is interesting to note that by luring a victim to install a malicious profile that contains a root CA, an attacker can mount HRH attacks on SSL traffic as well,” Amit said. “Combining the malicious profiles threat we uncovered together with this new threat of HTTP Request Hijacking, generates a troubling scenario: Even after the malicious profile is identified and removed from the device, attacked apps continue to interact seamlessly with the attacker’s server instead of the real server, without the victim’s knowledge.”

IOS developers are urged to look for the vulnerability in their apps, Amit said, adding that apps should connect using HTTPS, although it’s not a foolproof defense.

Suggested articles