DIR Return Create A Forum - Home
---------------------------------------------------------
SUGAVIN.C
HTML https://csweb.createaforum.com
---------------------------------------------------------
*****************************************************
DIR Return to: Apple News
*****************************************************
#Post#: 61--------------------------------------------------
Apple’s App Store lackedencryption protection for months
By: Apple Team Date: April 2, 2013, 10:40 am
---------------------------------------------------------
Apple’s App Store lacked encryption protection for months
Apple’s app store operated for months without the protection of
SSL encryption, accordingto researchers.
Apple announced it had fixed the problem in January, but the
researchers who discovered the flaw didn’twrite about it until
this month.
“I am really happy that my spare-time work pushed Apple to
finally enable HTTPS to protect users,” Elie Bursztein, whose
full-time job is with Google, wrote in a personal blog.
Apple did not respond to a request for comment.
Bursztein, along with Bernhard “Bruhns” Brehm of Recurity Labs
and Rahul Iyer of Bejoi found out in July 2012 that
communications between Apple’s App Store and consumers using the
store were unencrypted. That deficiency opened up users to
several kinds of attack on public networks, like those found in
an airport or coffee shop, according to Bursztein.
The potential attacks included:
Password Stealing. When a user logged into the App Store, an
attacker could slip a phony password request screen into the
process, effectively prompting theuser to hand over their
password. “That Apple ID controls your credit card for buying
music and apps; it controls all your backups with all your
contacts,” Chet Wisniewski, a security advisor with cyber
security software maker Sophos, said in an interview. “That’s
pretty sensitive stuff,. The Apple ID is similar to Facebook and
Google. Once it’s hacked, it cracksopen the walnut of your
entire digital life.”
App Swapping. A user could be duped into installing an
attacker’s app when they think they’re installing legitimate
software. An app that costs money can be substituted for a free
app, too.
Fake Upgrades. Cyber thieves could trick a user into installing
something other than the app upgrade they think they’re getting.
Installation Prevention. This would prevent an app from being
installed on a machine by removing it from the store or by
tricking the device into thinking the app has already been
installed.
App spying. The App Store’s update mechanism could be tapped and
all the applications installed on auser’s device could be viewed
by a cyber peeper.
With App Store communications vulnerable for so long, it’s a
wonder that a significant attack didn’t take place, said HD
Moore, CSO of Rapid7 in Boston.
“I’ve seen the hacker community talking about this and
demonstrate different techniques,” he said, “but it is
surprising that there hasn’t been any more wide scale attacks.”
A limiting factor, he explained, is that you have to be in the
same physical area as your target – either the same local
segment or the same wireless network tocarry it out.
The security breakdown could encourage mobile app makers to take
another look at their wares, Moore added. “On mobile devices, a
lot of folks can’t tell if SSL is onin the background. With
desktops and laptops, users have been well-trained to look for
that SSL lock icon in the corner.”
The incident could also grab the attention of security shops at
online retailers, said Jamz Yaneza, threat research manager at
Trend Micro in Cupertino, Calif.
“I think it’s a wake-up call for online retailers who outsource
development of apps,” hesaid. “When they do that, they should
make sure those apps use all the encryption that’s required.
“With all the breaches we’re been hearing aboutin the past few
weeks, now is the time for them to take a close look on how
they’re securing customer data.”
*****************************************************