Security Flaw Found in 'Staggering Number' of iOS Apps
Oct 31, 2013 10:32 AM PT
A flaw found in a "staggering number" of apps for the iPhone and iPad could be exploited to send malicious information to the gadgets, researchers at Skycure reported Tuesday. The vulnerability allows enterprising hackers to redirect an app's communication with its appointed server to one operated by nefarious parties.
Although the researchers focused on iOS apps, the flaw could affect other mobile platforms too, since the it involves a cross-platform standard -- HTTP.
"We've seen a pretty impressive number of iOS applications susceptible to this problem, but it is very likely that other operating systems, such as Android and Windows Phone, may be susceptible to this as well, although we can't confirm that yet," Yair Amit, CTO and cofounder of Skycure, told MacNewsWorld.
Apple did not respond to our request to comment for this story.
A classic man-in-the-middle attack can be launched on an iOS device by exploiting the vulnerability, which uses a technique called "HTTP Request Hacking." Here's how it works.
Many apps are constantly communicating with a server on the Net to obtain information. The app for a news organization, for instance, frequently polls that organization's server to get the latest news.
When such communication is initiated by an app, it can be intercepted by a hacker, who then pushes a modification to the iOS device that redirects all future communication from the app to the hacker's server.
The modification involves poisoning a cache used by apps with a bogus "301 Moved Permanently" command. Those commands are used by developers when a domain used by their app changes. In this case, though, the hacker is changing the domain and not the developer.
"While the 301 Moved Permanently HTTP response has valuable uses, it also has severe security ramifications on mobile apps, as it could allow a malicious attacker to persistently alter and remotely control the way the application functions, without any reasonable way for the victim to know about it," Amit explained in a blog post.
"Whereas browsers have an address bar," he continued, "most mobile apps do not visually indicate the server they connect to, making HRH attacks seamless, with very low probability of being identified by the victims."
In order to succeed, an attacker needs to be connected to the same network as the victim and actively intercept the data flow between the victim's vulnerable application and the website it downloads its data from, explained Bitdefender Senior E-Threat Analyst Bogdan Botezatu.
However, "the attack can be automated to affect all devices currently connected to the network," he told MacNewsWorld.
"While this attack may look more like a prank," Botezatu continued, "poisoning applications with fake content can have devastating consequences. For decision makers, fake news could impact the way they do business, while for others it can trigger panic. Imagine a specific pool of users being shown news of an imminent hurricane or other disaster in their area."
Botezatu cautioned against using unfamiliar networks.
"Users should be extremely careful when connecting their device to an untrusted wireless network, as their traffic can be snooped on, their credentials intercepted or -- as it is the case with this attack -- their data manipulated in real time, even when they disconnect the rogue network and connect to their own," he said.
Typically, security researchers do not reveal vulnerabilities before app makers have a chance to fix them, but Skycure's Amit noted that the scope of this flaw precluded such action.
"Unlike most vulnerabilities, where a responsible disclosure could be made in private to the vendor in charge of the vulnerable app, we soon realized that HTTP Request Hijacking affects a staggering number of iOS applications, rendering the attempt to alert vendors individually virtually impossible," he wrote.
Instead, Skycure offered two solutions to the problem. First, developers could secure communication between their apps and Web hosts with HTTPS. Apps vulnerable to the 301 attack are using the insecure HTTP protocol.
In the past, developers shied away from using HTTPS because they felt it hurt app performance, but that's not the case anymore, maintained Christopher Budd, threat communications manager for Trend Micro.
"We're getting to a point where processing costs are low and security risks are high," he told MacNewsWorld, "so using HTTPS as a default, to my mind, is making much more sense."
While HTTPS could foil some hackers seeking to exploit the 301 flaw, even that protocol can be circumvented in iOS through the use of malicious profiles.
"When you combine the 301 and malicious profile attacks together, you can poison and change the logic of applications that interact through SSL," Amit explained.
The second solution suggested by Skycure would be to shut off an app's polling of the cache containing the 301 command.
"301 is great for the Web, but when it comes to mobile applications -- where, as a user, you have to trust the vendor that what you're doing is safe -- it's very bad for mobile devices," noted Amit.
Although that solution addresses the problem, there would be a cost.
"It protects," Trend Micro's Budd observed, "but it definitely hampers functionality that, when it's legitimate, can be valuable."