|Somebody left the gate open|
The Apple App Store had been running without SSL encryption for a period of at least six months, leaving it open to password theft, privacy leaks, and app manipulation vulnerabilities.
Apple recently updated its "Apple Web Server notifications" document, which is actually the credit roll for people that have reported security issues on Apple's web servers. Among the entries, Apple acknowledges Bernhard "Bruhns" Brehm of Recurity Labs, Elie Bursztein of Google, and Rahul Iyer of Bejoi LLC for pointing out issues with the itunes.apple.com domain.
The three researchers pointed out that information sent to and from the domain was not protected using HTTPS. Following their reports, Apple addressed the issue earlier this year, and now notes that "active content is now served over HTTPS by default".
According to Bursztein, by not using HTTPS, an attacker could carry out four different attacks on users whenever they were on a shared networks, such as those at airports or coffee shops.
Bursztein's attacks are done by intercepting the unencrypted traffic over the network and modifying Apple's response. The first attack, stealing a user's password, intercepts the App Store app's request for updates from the iTunes server, and injects code to produce a pop up asking for the users' password.
From the victim's perspective, it would appear that the App Store app has asked for the user's password upon being opened. This information can then be sent to the attacker.
The second attack fools the user into thinking they're downloading one application when they're not. The attack again intercepts the details presented on an application's page, leaving the original details of the application intact, but changing the details sent to Apple's servers when the user clicks buy or install.
"Abusing the lack of encryption on the application detail pages, the attacker is able to swap application purchase/download parameters with those of his choice. As a result, the attacker is able to force the victim to install/buy an app of his choice when the victim tries to install/upgrade any application," Bursztein wrote on his blog.
"The attacker would be able to monetize this attack by having his own (benign) very expensive application available through the market and forcing the user to install it using the app swapping attack."
This can be combined with Bursztein's third attack, which hijacks genuine updates to installed apps and, similar to the app-swapping attack, points to another app to install.
Lastly, Bursztein highlighted in his final attack that using the previous attacks, but changing the application to be installed/downloaded to one that is already on the device, an attacker could effectively stop the victim from installing any app, therefore blocking them from the App Store.
It is also possible to determine which apps a user has on their device, according to Bursztein, because when the device contacts the upgrade server, it sends a list of this information.
"It can also allow an attacker to track users, as a list of installed applications is pretty unique to each user (it seems likely that it will generate more than the 31 bits of entropy needed to uniquely identify a user)."
In addition to the video showing the app swapping attack, Bursztein has created videos demonstrating password stealing and the fake upgrade attack.
Any idiot would ask why it was't done that way from the beginning.