Many Apple iOS applications are vulnerable to a man-in-the-middle attack that can result in permanent manipulation by the attacker, according to start-up Skycure, which released its research findings yesterday during the RSA Europe conference.
Skycure CTO Yair Amit says many mobile iOS apps are vulnerable to a “very simple attack that relies on the 301 HTTP Response, a permanent re-direction.” If an Apple iOS app can cache these so-called 301 HTTP Re-Direct Response requests – and many popular iOS apps do, according to Skycure – then the app is vulnerable to being repeatedly hijacked via re-direction to the attacker’s server.
While this general type of man-in-the-middle attack has been known on the web for many years, for mobile applications the result is worse in that it “persistently changes the URL” of the server and lets the attacker take dynamic control over the app, says Amit. In the information that Skycure is publishing, the company notes the impact of the attack is basically that instead of loading data from the real site that the user wants to visit, the attacker can make the app permanently load the data from the attacker’s site.
Skycure isn’t releasing the names of the vulnerable iOS apps because this issue hasn’t necessarily been fixed. Amit says according to Skycure’s research, a significant portion of apps available through the official Apple App Store could be attacked this way. The problem is not a vulnerability in iOS itself but a coding weakness on the part of the developer.
Skycure says “HTTP Request Hijacking” of Apple iOS mobile devices such as iPhones and iPads starts with a man-in-the-middle attack, which would typically commence in a public Wi-Fi zone, such as in a coffee shop. While a type of attack like this has been known to happen on the web between computer-based web browsers and web servers for quite some time, the way a similar attack works on mobile devices hasn’t yet been subject to much scrutiny, says Amit.
He adds the implication of such an attack on news or financial information received through iOS devices is troubling.
“In a mobile application, it changes the application,” he says, adding “there’s no easy way to remove the problem.” But Skycure believes there are a number of steps that app developers can take to remediate or mitigate against it.
Among them are making sure the app doesn’t cache a 301 HTTP Re-Direct Response for re-direction. Another is to make sure the mobile device interacts with a designated server via an encrypted protocol, such as HTTPS, instead of HTTP. “If you want your application to behave differently with a server, just release an update,” he suggests. Making changes to apps to correct for this may be somewhat disruptive to the end-user, he adds.
The HTTP Request Hijacking attack on iOS that Skycure has identified may also exist in Android or other mobile-device platforms, but Skycure currently puts its focus primarily on Apple iOS. Skycure believes one danger in this type of man-in-the-middle attack on mobile devices is that it is much less visible to the victimised end-user than the more traditional computer-based form of the attack.
By Ellen Messmer. Network World