An Israeli startup has discovered a vulnerability in many iOS apps that attackers could secretly exploit over a public Wi-Fi network to send their own data to an Apple iPhone or iPad.
Skycure discovered the "coding pitfall," which it calls HTTP Request Hijacking, while investigating a bug in its mobile security product. Further investigation uncovered the widespread flaw that could be used to send malicious links or fake news to a news app.
The exploitation would start with a man-in-the-middle attack over a public Wi-Fi network. An attacker would first have to gain access to the HTTP traffic between the app and the server that receives its requests and sends back data.
When the app asks for information, the attacker would have to capture the request and return what is called a 301 redirection that would essentially tell the app to get data not from the real server's URL but from the URL of the attacker's server.
Because many developers store the server location permanently in the app's cache, the attacker can send the data he chooses until the app is either updated or it is removed and reinstalled.
While Skycure would normally notify the app developer of flaws before going public, so many iOS apps were vulnerable to this type of attack that the company believed it was impossible to find and notify all of them.
"There's simply too many apps that are vulnerable to this," Adi Sharabani, chief executive and co-founder of Skycure, said Tuesday. "We don't even know all the apps that are vulnerable."
Skycure is hoping its disclosure will lead to more developers hearing about the problem and fixing it. The company has posted on its blog a couple of lines of code that can be inserted in a mobile app to close the hole.
For non-technical people with iOS devices, there's little they can do to fix the problem, except install updates for their apps as soon as they are available, Sharabani said. Mobile apps that use HTTPS for communications are mostly safe, because attacks over the secure protocol are a lot more difficult.
HTTP is known for being an insecure protocol susceptible to man-in-the-middle attacks, Tielei Wang, a mobile security researcher at Georgia Institute of Technology, said. This particular attack is "very limited" because it only affects HTTP connections.
In general, mobile apps send sensitive content over HTTPS, "unless the app is poorly designed," Wang said.
Skycure had not determined whether Android apps were vulnerable to the same coding flaw. However, Marc Rogers, principal security researcher at Lookout, said it was certainly possible.
"I would anticipate that yes, the same problem is likely to exist," Rogers said.