Apple Ups Security For App Store

  /     /     /  
Publicated : 22/11/2024   Category : security

Apple Ups Security For App Store


Apple begins using secure Web pages -- HTTPS -- for all App Store communications, to protect against password theft and other potential problems.


Apple has begun using secure Web pages -- HTTPS -- for all App Store communications. The move mitigated a number of vulnerabilities that attackers could have exploited to steal App Store passwords, force users to pay for unwanted apps or intercept user data.
Apple
announced the security change
earlier this year, noting that active content is now served over HTTPS by default for App Store via its iTunes applications. Apples security notice credited multiple researchers for alerting it to the vulnerability, including Google researcher Elie Bursztein.
Bursztein said Friday in a
blog post
that Apples previous failure to use HTTPS for App Store communications -- except on purchase pages – along with its failure to confirm certain activities and the dynamic manner in which App Store pages get generated left users open to an active network attack that is able to read, intercept and manipulate non-encrypted (HTTP) network traffic, for example, via unencrypted public Wi-Fi hotspots.
[ What lessons can we learn from the Evernote security breach? Read
Evernote Breach: 7 Security Lessons
. ]
Being on the same networks as the victims is all it takes [to facilitate
man-in-the-middle (MITM) attacks
], he said.
For example, an attacker could have stolen passwords by inserting a fake password-notification prompt into the App Store application update mechanism and swapping a paid app for a free app that a user tried to obtain, thus charging them. Users could also have been tricked into paying for fake app upgrades and been blocked from installing an app either by hiding it from view in the App Store or tricking the user into thinking it was already installed. Finally, Bursztein said the vulnerabilities posed a privacy-leak problem, because the App Store application update mechanism discloses in the clear the list of the applications installed on the device.
Apples adoption of HTTPS for all App Store communications follows -- and arguably lags -- similar moves made by Google, which began exploring the use of HTTPS for
encrypted search in 2010
and made it the default for all communications with Google services, including Gmail, in 2011. Similarly,
Facebook adopted HTTPS
by default late last year,
as did Twitter
.
Last year, Mozilla announced that Firefox would
default to the HTTPS version
of any website, taking a cue from the
HTTPS Everywhere campaign
and related plug-in advanced by Electronic Frontier Foundation, which seeks to get more sites to adopt the security offered by HTTPS pages.
Calls for websites to adopt HTTPS increased in the
wake of Firesheep
, a Firefox plug-in that was released in late 2010 that focused attention on the ease with which traffic being sent across unsecured hotspots -- for example, in many cafes and airports -- could be intercepted. The fix for such attacks was easy: websites needed to enable HTTPS by default, thus adding an encryption layer to all HTTP communications between browser and website.
Apple, it seems, didnt bother with HTTPS Everywhere, even for its own App Store, until 2013, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a
blog post
. Since theres no other place to shop when youre buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher.
How long has Apples use of HTTP for its App Store put users at risk of being exploited? I am unsure, Google researcher Bursztein
said via Twitter
. I reported it in July [2012], but likely they have been susceptible to MITM for years.
But Bursztein hopes that Apples adoption of HTTPS for its App Store will lead more developers -- in particular mobile ones -- to likewise adopt HTTPS. Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication.
Please dont let your users down, he said. Do the right thing: use HTTPS.
Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology.
Register today
!

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Apple Ups Security For App Store