“Active content is now served over HTTPS by default,” Apple noted in a security advisory, issued earlier in the year but getting little notice until Google security researcher Elie Bursztein took to his blog on Friday to detail just how far the vulnerabilities go.
The issues have been lingering since July 2012, when Bursztein reported that while the Apple App Store is a native iOS app, most of its active content, including app pages and the update page, is dynamically rendered from server data. The server data is mostly standard web data (HTML/Javascript/CSS) with custom extensions and keywords. That paves the way for a range of active network attacks that are able to read, intercept and manipulate non-encrypted (HTTP) network traffic.
“Hence those attacks can be carried on any public Wi-Fi networks, including airport or coffee shops’ networks,” Bursztein said. “Being on the same networks as the victims is all it takes.”
By abusing the lack of encryption (HTTPS) in certain parts of the communication with the App Store, the dynamic nature of the App Store pages, and the lack of confirmation, an active network attacker can perform password-stealing, app swapping, fake app upgrades, app installation blocks and privacy leaks.
When it comes to password stealing, hackers can trick the user into disclosing his or her password by using the application update notification mechanism to insert a fake prompt when the App Store is launched. “The user opens the App Store, which will trigger the App Store app to fetch the list of update available from the server,” Bursztein explained. “The attacker intercepts the reply and injects a javascript prompt into it that ask for the user Apple ID [and] password. From the user’s perspective, it seems that opening the application triggered the prompt which is very deceiving. The password is then exfiltrated by including it into a script insertion URL.”
As for other issues, hackers can also force the user to install/buy the attacker’s app of choice instead of the one the user intended to download – made more of an issue by virtue of the fact that it’s possible to swap a free app with a paid app. Users also can be tricked into installing/buying the attacker’s app of choice by inserting fake app upgrades, or manipulating existing app upgrades.
Hackers also can prevent the user from installing/upgrading applications either by stripping the app out of the market or tricking the app into believing it is already installed. Finally, an issue exists in the fact that the App Store application update mechanism discloses in the clear the list of the applications installed on the device.
Apple may have made HTTPS available to App Store developers, but it’s up to the app writers themselves to effect change. “I decided to render those attacks public, in the hope that it will lead more developers (in particular mobile ones) to enable HTTPS,” Bursztein said. “Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication. Please don’t let your users down and do the right thing: use HTTPS!”