Many iOS apps found open to hijacking on public Wi-Fi

An Israeli startup has discovered a vulnerability in many iOS apps that attackers could secretly exploit over a public Wi-Fi network to send their own data to an Apple iPhone or iPad.

[Apple's iOS 7 gives security pros a lot to like]

Skycure discovered the "coding pitfall," which it calls HTTP Request Hijacking, while investigating a bug in its mobile security product. Further investigation uncovered the widespread flaw that could be used to send malicious links or fake news to a news app.

The exploitation would start with a man-in-the-middle attack over a public Wi-Fi network. An attacker would first have to gain access to the HTTP traffic between the app and the server that receives its requests and sends back data.

When the app asks for information, the attacker would have to capture the request and return what is called a 301 redirection that would essentially tell the app to get data not from the real server's URL but from the URL of the attacker's server.

Because many developers store the server location permanently in the app's cache, the attacker can send the data he chooses until the app is either updated or it is removed and reinstalled.

While Skycure would normally notify the app developer of flaws before going public, so many iOS apps were vulnerable to this type of attack that the company believed it was impossible to find and notify all of them.

"There's simply too many apps that are vulnerable to this," Adi Sharabani, chief executive and co-founder of Skycure, said Tuesday. "We don't even know all the apps that are vulnerable."

Skycure is hoping its disclosure will lead to more developers hearing about the problem and fixing it. The company has posted on its blog a couple of lines of code that can be inserted in a mobile app to close the hole.

For non-technical people with iOS devices, there's little they can do to fix the problem, except install updates for their apps as soon as they are available, Sharabani said. Mobile apps that use HTTPS for communications are mostly safe, because attacks over the secure protocol are a lot more difficult.

HTTP is known for being an insecure protocol susceptible to man-in-the-middle attacks, Tielei Wang, a mobile security researcher at Georgia Institute of Technology, said. This particular attack is "very limited" because it only affects HTTP connections.

[Apple's iOS 7 patches 80 vulnerabilities]

In general, mobile apps send sensitive content over HTTPS, "unless the app is poorly designed," Wang said.

Skycure had not determined whether Android apps were vulnerable to the same coding flaw. However, Marc Rogers, principal security researcher at Lookout, said it was certainly possible.

"I would anticipate that yes, the same problem is likely to exist," Rogers said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurity

More about AppleGeorgia Institute of TechnologyTechnologyWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts