Apple Fixes App Store Security Risk
Finding a fatal security flaw in your system is embarrassing enough; allowing your primary competitor to find it is even worse.
For years, Apple's App Store has unknowingly exposed iDevice (iPhone, iPad, and iPod Touch) users to a potential account hijack. A security expert for Google identified this shortcoming, prompting Apple to repair it; the process took eight months.
The security threat was a fairly insidious one, and required only a computer and an iDevice on the same Wi-Fi network. When users log into the App Store and make a purchase, they are required to enter their passwords to do so. Meanwhile, a hacker running a simple program on a computer could discern both a username and a password at the moment of purchase.
This process would allow a hacker to use a stolen account for his or her own ends. Some purchases on the App Store range up to $1,000, and Apple is not generally inclined to give refunds, which could leave users' wallets in a considerable amount of turmoil.
Elie Bursztein, who works for Apple competitor Google and runs his own security blog, discovered the bug in July 2012 and reported it immediately. The problem stems from Apple's failure to implement HTTPS protocols, which provide encryption for sensitive login information across a variety of platforms.
"I decided to render those attacks public, in the hope that it will lead more developpers (sic) (in particular mobile ones) to enable HTTPS," writes Bursztein, detailing the various ways a potential hijacker could take advantage of Apple's laxity. "Please don't let your users down and do the right thing: use HTTPS!"
Bursztein details five different kinds of attacks that the security flaw allowed. Password stealing and privacy leaks are fairly standard practices by which hackers compromise users' personal and financial information.
App swapping, fake app upgrades and preventing application installation are methods by which hackers foist dangerous, unwanted apps onto users by replacing safe, desired ones. [See also: 15 Must-Have Apps for the New Verizon iPhone User]
Bursztein theorizes that an enterprising hacker could have gotten rich by designing a simple $1,000 app, stealing user information, and forcing them to purchase and install it. By the time Apple got wise to this scheme, the hacker would presumably already have a small fortune in the bank, and be impossible to track, thanks to the vagaries of public Wi-Fi.
One bright spot in this whole mess is that it's not clear whether hackers were actually able to compromise anyone's information this way. Bursztein found the flaw, reported it, and Apple (eventually) fixed it without too much of an outcry. Now that Apple has implemented HTTPS in the App Store, further breaches of this type will be impossible.
As for App Store users, they can buy apps on public Wi-Fi with confidence, at least for the time being. No doubt, this will not be the last security exploit on a mobile operating system.