Last July, Elie Bursztein, security researcher at Google had reported a number of vulnerabilities to Apple after he discovered that it was serving content on the App Store app over HTTP.
Bursztein now reports that Apple has finally started serving active content on the App Store over HTTPS to address the issues.
In a blog post, Bursztein briefly explains some of these vulnerabilities:
By abusing the lack of encryption (HTTPS) in certain parts of the communication with the App Store, the dynamic nature of the App Store pages, and the lack of confirmation, an active network attacker can perform the following attacks:
- Password stealing: Trick the user into disclosing his or her password by using the application update notification mechanism to insert a fake prompt when the App Store is launched.
- App swapping: Force the user to install/buy the attacker’s app of choice instead of the one the user intended to install/buy. It is possible to swap a free app with a paid app.
- App fake upgrade: Trick the user into installing/buying the attacker’s app of choice by inserting fake app upgrades, or manipulating existing app upgrades.
- Preventing application installation: Prevent the user from installing/upgrading applications either by stripping the app out of the market or tricking the app into believing it is already installed.
- Privacy leak: The App Store application update mechanism discloses in the clear the list of the applications installed on the device.
According to this support document, Apple seems to have rolled out the fix on January 21st. Apple has also given credit to Bursztein, Bernhard ‘Bruhns’ Brehm of Recurity Labs, and Rahul Iyer of Bejoi LLC for reporting the vulnerabilities in the support document.
It’s surprising that it took Apple so much time to fix the issue, especially when you consider that Apple had to only enable HTTPS encryption. Bursztein says he is glad that his spare time work pushed Apple to finally enable HTTPS to protect users.
Interestingly, this comes just few days after Phil Schiller, Apple’s Senior Vice President of Worldwide Marketing poked fun at Android by pointing to the Malware Threat report by research firm F-Secure, which highlighted the rise of Android-based malware.