Apple left App Store open to attack: Google researcher

Apple left App Store open to attack: Google researcher

Summary: Apple failed to use HTTPS on its App Store for at least six months, leaving it open to man-in-the-middle attacks that could trick users into installing paid apps or steal their passwords.

SHARE:

The Apple App Store had been running without SSL encryption for a period of at least six months, leaving it open to password theft, privacy leaks, and app manipulation vulnerabilities.

Apple recently updated its "Apple Web Server notifications" document, which is actually the credit roll for people that have reported security issues on Apple's web servers. Among the entries, Apple acknowledges Bernhard "Bruhns" Brehm of Recurity Labs, Elie Bursztein of Google, and Rahul Iyer of Bejoi LLC for pointing out issues with the itunes.apple.com domain.

The three researchers pointed out that information sent to and from the domain was not protected using HTTPS. Following their reports, Apple addressed the issue earlier this year, and now notes that "active content is now served over HTTPS by default".

According to Bursztein, by not using HTTPS, an attacker could carry out four different attacks on users whenever they were on a shared networks, such as those at airports or coffee shops.

Bursztein's attacks are done by intercepting the unencrypted traffic over the network and modifying Apple's response. The first attack, stealing a user's password, intercepts the App Store app's request for updates from the iTunes server, and injects code to produce a pop up asking for the users' password.

From the victim's perspective, it would appear that the App Store app has asked for the user's password upon being opened. This information can then be sent to the attacker.

The second attack fools the user into thinking they're downloading one application when they're not. The attack again intercepts the details presented on an application's page, leaving the original details of the application intact, but changing the details sent to Apple's servers when the user clicks buy or install.

"Abusing the lack of encryption on the application detail pages, the attacker is able to swap application purchase/download parameters with those of his choice. As a result, the attacker is able to force the victim to install/buy an app of his choice when the victim tries to install/upgrade any application," Bursztein wrote on his blog.

"The attacker would be able to monetize this attack by having his own (benign) very expensive application available through the market and forcing the user to install it using the app swapping attack."

This can be combined with Bursztein's third attack, which hijacks genuine updates to installed apps and, similar to the app-swapping attack, points to another app to install.

Lastly, Bursztein highlighted in his final attack that using the previous attacks, but changing the application to be installed/downloaded to one that is already on the device, an attacker could effectively stop the victim from installing any app, therefore blocking them from the App Store.

It is also possible to determine which apps a user has on their device, according to Bursztein, because when the device contacts the upgrade server, it sends a list of this information.

"It can also allow an attacker to track users, as a list of installed applications is pretty unique to each user (it seems likely that it will generate more than the 31 bits of entropy needed to uniquely identify a user)."

In addition to the above video showing the app swapping attack, Bursztein has created videos demonstrating password stealing and the fake upgrade attack.

Topics: Security, Apple, Apps, Google, iOS, Mobility

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Good for them for finding the security attack vectors.

    Good for Apple for closing those attack vectors.

    Life goes on.
    kenosha77a
  • Top work by Google by a google researcher

    Big words for a company whose sole business model is based around invasion of privacy.
    Perhaps he should spend more time on the play store security and work out why its riddled with malware.
    Adam Geo
    • Paranoid much?

      Based around invasion of privacy? Filled with malware?

      Wow, you're crazy.
      ForeverCookie
  • Apple was being reckless

    It was a bit weird why no https!

    As for Google investigators they could study about a way of avoiding or reduce the problem of fake applications for android - globally and even more important in the play store. :-P
    AleMartin
  • Good story good ending.

    Good guys! Doing good things for everyone.
    Altotus