Last summer a Google security researcher announced he had found serious flaws in the Apple App Store. The company was serving up data over an unencrypted HTTP connection, leaving its customers open to attacks from anyone using the same public network. Six months later, the company finally flipped on the encryption.
Elie Bursztein announced yesterday that “I am really happy that my spare-time work pushed Apple to finally enable HTTPS to protect users”.
The lack of HTTPS left iOS customers open to password stealing, app swapping — the ability for an attacker to force a customer to install/buy the attacker’s app of choice instead of the one the user intended to install/buy, fake app upgrades and serious privacy leaks.
“When contacting the upgrade server, the device sends in the clear a PList that contains all the applications installed on the phone. This is a privacy leak as it allows an attacker to know which bank/doctor/services the user uses,” Bursztein said. “It can also allow an attacker to track users, as a list of installed applications is pretty unique to each user (it seems likely that it will generate more than the 31 bits of entropy needed to uniquely identify a user.)”
Bursztein made these attack scenarios public in an effort to force Apple, and other mobile companies, to fix the problems. He has been waiting since July 2012 for the Cupertino company to act on its flaws and now the wait is finally over.