Risk
3/11/2013
01:09 PM
Connect Directly
RSS
E-Mail
50%
50%

Apple Ups Security For App Store

Apple begins using secure Web pages -- HTTPS -- for all App Store communications, to protect against password theft and other potential problems.

Apple has begun using secure Web pages -- HTTPS -- for all App Store communications. The move mitigated a number of vulnerabilities that attackers could have exploited to steal App Store passwords, force users to pay for unwanted apps or intercept user data.

Apple announced the security change earlier this year, noting that "active content is now served over HTTPS by default" for App Store via its iTunes applications. Apple's security notice credited multiple researchers for alerting it to the vulnerability, including Google researcher Elie Bursztein.

Bursztein said Friday in a blog post that Apple's previous failure to use HTTPS for App Store communications -- except on purchase pages – along with its failure to confirm certain activities and the dynamic manner in which App Store pages get generated left users open to "an active network attack that is able to read, intercept and manipulate non-encrypted (HTTP) network traffic," for example, via unencrypted public Wi-Fi hotspots.

[ What lessons can we learn from the Evernote security breach? Read Evernote Breach: 7 Security Lessons. ]

"Being on the same networks as the victims is all it takes [to facilitate man-in-the-middle (MITM) attacks]," he said.

For example, an attacker could have stolen passwords by inserting a fake password-notification prompt into the App Store application update mechanism and swapping a paid app for a free app that a user tried to obtain, thus charging them. Users could also have been tricked into paying for fake app upgrades and been blocked from installing an app either by hiding it from view in the App Store or tricking the user into thinking it was already installed. Finally, Bursztein said the vulnerabilities posed a privacy-leak problem, because "the App Store application update mechanism discloses in the clear the list of the applications installed on the device."

Apple's adoption of HTTPS for all App Store communications follows -- and arguably lags -- similar moves made by Google, which began exploring the use of HTTPS for encrypted search in 2010 and made it the default for all communications with Google services, including Gmail, in 2011. Similarly, Facebook adopted HTTPS by default late last year, as did Twitter.

Last year, Mozilla announced that Firefox would default to the HTTPS version of any website, taking a cue from the HTTPS Everywhere campaign and related plug-in advanced by Electronic Frontier Foundation, which seeks to get more sites to adopt the security offered by HTTPS pages.

Calls for websites to adopt HTTPS increased in the wake of Firesheep, a Firefox plug-in that was released in late 2010 that focused attention on the ease with which traffic being sent across unsecured hotspots -- for example, in many cafes and airports -- could be intercepted. The fix for such attacks was easy: websites needed to enable HTTPS by default, thus adding an encryption layer to all HTTP communications between browser and website.

"Apple, it seems, didn't bother with HTTPS Everywhere, even for its own App Store, until 2013," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "Since there's no other place to shop when you're buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher."

How long has Apple's use of HTTP for its App Store put users at risk of being exploited? "I am unsure," Google researcher Bursztein said via Twitter. "I reported it in July [2012], but likely they have been susceptible to MITM for years."

But Bursztein hopes that Apple's adoption of HTTPS for its App Store will lead more developers -- "in particular mobile ones" -- to likewise adopt HTTPS. "Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication."

"Please don't let your users down," he said. "Do the right thing: use HTTPS."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
3/14/2013 | 11:23:47 AM
re: Apple Ups Security For App Store
I think it is more a sign as to how arrogant and ignorant Apple is. It wasn't even an afterthought, it took externals to point that out to Apple. This is the cost of doing business with Apple.
CAgarwala400
50%
50%
CAgarwala400,
User Rank: Apprentice
3/13/2013 | 3:09:12 AM
re: Apple Ups Security For App Store
Enterprise adoption of Apple devices will be impacted with this revelation, that Apple has taken so long to meet a basic security criteria.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/12/2013 | 2:46:45 AM
re: Apple Ups Security For App Store
I would have thought the App Store was all HTTPS, too. But then again, Macs never get hacked. ;-)

Kelly Jackson Higgins, Senior Editor, Dark Reading
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/11/2013 | 11:28:41 PM
re: Apple Ups Security For App Store
I'm really surprised it took Apple this long. Another example of security as an afterthought.

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.