Last week Apple's marketing chief Phil Schiller was quick to poke some fun at Android security, posting a link on Twitter to an F-Secure report that paints a dire -- if not overblown -- picture of the malware situation on Google’s mobile operating system. But for the past six months Apple was also guilty of leaving its iOS App Store open to attacks that could trick users into installing paid apps or steal their passwords.
In a recent blog post, Google researcher Elie Bursztein reports that Apple has finally enabled HTTPS-by-default for the App Store as part of a raft of server-side security improvements and performance tweaks, even though he and a couple of other researchers had warned them about the dangers of this omission back in July 2012.
Up until January 23, 2013 the company only used HTTPS for purchase pages.
Like most attacks exploiting the lack of full-session HTTPS on websites, the App Store attacks described by Bursztein could have been carried out against users of public Wi-Fi networks like those found in libraries, parks, airports, coffee shops and so on. He went on to demonstrate a few possible scenarios.
Password stealing: By intercepting the unencrypted traffic whenever an app update is requested from the iTunes server, and attacker could then inject code to produce a pop up asking for the users' password.
App swapping: It is possible to swap a free app with a paid app, forcing the user to buy and install the attacker’s app of choice instead of the one the user originally intended.
Fake upgrade: Similar to the previous scenario, and attacker could trick the user into buying and installing an app by inserting a fake update prompt or hijacking an actual update prompt to silently redirect them to another app. In both cases it’s possible to monetize this attack by having a very expensive application available through the App Store and tricking the user into purchasing it using the app swapping approach.
Preventing application installation: Without HTTPS it’s possible to prevent the user from installing/upgrading applications either by stripping the app out of the store or tricking the app into believing it is already installed.
Privacy leak: The App Store application update mechanism discloses the list of the apps installed on the device.
It’s unclear if any of these scenarios have actually been exploited in the wild but now that HTTPS is enabled by default on the App Store it’s no longer an issue. Bursztein says he’s really happy that his spare-time work pushed Apple to finally protect users.
