Apple has finally patched a significant vulnerability in the way it handles certain actions in the iOS App Store app. The curious thing here is that it has done so a full six months after being alerted to the issue.
In his most recent blog post, Google security researcher Elie Bursztein says that he reported a multifaceted App Store vulnerability to Apple back in July last year. But according to him, it was only last week that Apple put out a fix for it.
The vulnerability may be exploited on any public Wi-Fi network and may result in the following attacks, as outlined by Bursztein:
- Password stealing: Trick the user into disclosing his or her password by using the application update notification mechanism to insert a fake prompt when the App Store is launched.
- App swapping: Force the user to install/buy the attacker’s app of choice instead of the one the user intended to install/buy. It is possible to swap a free app with a paid app.
- App fake upgrade: Trick the user into installing/buying the attacker’s app of choice by inserting fake app upgrades, or manipulating existing app upgrades.
- Preventing application installation: Prevent the user from installing/upgrading applications either by stripping the app out of the market or tricking the app into believing it is already installed.
- Privacy leak: The App Store application update mechanism discloses in the clear the list of the applications installed on the device.
If you can’t see the video embedded above, please click here.
As pointed out by Bursztein, these attacks are made possible by the lack of HTTPS encryption in the App Store.
But now, Apple has implemented HTPPS in the App Store, thereby getting rid of the vulnerability in question.
You can read Bursztein’s full account on the issue here.
Frankly, I’m surprised that it took Apple so long to fix the issue. Perhaps Apple should’ve also warned iOS users to “Be safe out there” in the six months that the issue was open for exploitation.