back to article 'Thousands of iPhone, iPad apps' vulnerable to simple redirect joyriders

An Israeli security firm will expose a flaw common to thousands of iPhone and iPad applications, which allows miscreants to hijack software using persistent man-in-the-middle attacks. "We identified a very large number of applications that are vulnerable to this problem," Skycure's CTO Yair Amit told The Register. The …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I don't think the issue here is the HTTP redirect. The issue is trusting WiFi networks you meet in the wild since for this attack to be successful (as described in the article), the network needs to be compromised/owned by the attackers with either a gateway/proxy or some DNS hijacking to redirect the HTTP requests.

    I always VPN my phone traffic through my home network, anyone (esp. tech types) who trust 3rd party apps to only transmit auth tokens securely has a lot more faith in the developers than I do.

    I'm curious to know if the Apache HTTP client used on Android blindly follows redirects as default, you can setup handlers to intercept and verify the redirect, but I'm not sure on default behaviour.

    I think the moral of this story is don't trust any network that's not yours, and even then, exercise caution.

  2. Anonymous Coward
    Anonymous Coward

    "Flaw in application coding"

    It doesn't sound like this is something that iOS could be changed to prevent, nor that there is anything that limits the bug to iOS versus any other OS under the sun. If they warned Apple so that Apple could (hopefully) notify its developers, what about Android or Windows developers? It doesn't matter what OS it is designed to run on, a MITM HTTP redirect can affect any app. I hope they aren't going to leave all the developers who don't have iOS versions hanging out to dry, then claim they are being "responsible" about the disclosure.

    Or does iOS provide a particular API for an HTTP query that silently accepts an HTTP redirect, while the API in other OSes returns an error message and expects the application to handle it to try the redirect address? If that's the case, while it isn't technically a flaw in iOS, it is something that iOS might want to change to make it more difficult for poorly coded applications to fall victim to this.

  3. Anonymous Coward
    Anonymous Coward

    What am I missing?

    Surely if you can inject a 301 in the response, you can manipulate the rest of the response anyway??

    1. Cliff

      Re: What am I missing?

      Is the answer HTTPS ?

      1. Anonymous Coward
        Anonymous Coward

        Re: What am I missing?

        Yes, but HTTPS requires a valid certificate, for which you have to pay for. Thereby I guess many applications just use plain HTTP - and that's vulnerable to many different kind of attacks if you can play MTM.

        1. An0n C0w4rd

          Re: What am I missing?

          Yes, but HTTPS requires a valid certificate, for which you have to pay for.

          Not entirely true. I've had a SSL cert, recognised by all clients I've tried so far as signed by a trusted CA, on my personal mail server for years without paying a penny for it.

          1. Cliff

            Re: What am I missing?

            Seeing as Apple apps all go through Apple's walled garden, issuing a certificate on acceptance would seem a pretty sensible offering in return for 30% of app revenue.

  4. Happy Ranter
    Holmes

    That is not news

    301 response has ALWAYS been vunerable to man in the middle attacks and not just on IOS devices.

    This is not news. It's a shallow attempt by a CTO of some security research firm that no-one has ever heard of to get free media coverage by scare mongering a user base that doesn't have the technical knowledge to understand all the big words.

    Whats next? Shock! Horror!!

    Other people can read your USB stick if you let them borrow it says CTO of USB encryption software company.

    oh, hang on, that was last months news

  5. This post has been deleted by its author

  6. Robert Grant

    I always wondered about this

    Is there standard cert infrastructure that app developers can use? E.g. upload app with public cert, app API makes sure that calls to the backend will use it?

    Seems like a scary thing to not enforce?

  7. heyrick Silver badge

    Thought about this years ago with my software.

    I decided if my site is not available, then there would be nothing to fetch. So anything that isn't a 200 K is treated as a 404.

    But this is bollocks anyway. If something can sit and fake a 301 response, surely it can just as easily alter the original http fetch to point to something else in the first place.

  8. Stretch

    As much as I hate Crapple...

    ...and everything and everyone with any hint of association to them such as owning any of their products...

    ...this is not their fault or anything to do with the platform. This is HTTP and this is not a "vulnerability" in any specific application. Why would i need to 301 the original request anyway - if I have already Man-in-Middled you then there are far more effective things I can do.

  9. Sitaram Chamarty

    @Heyrick, @Happy Ranter, @AC "What am I missing"

    AC: your question is "Surely if you can inject a 301 in the response, you can manipulate the rest of the response anyway?"

    Sure, but a 301 makes it permanent. Your MITM may be temporary, but you are making a permanent change to the app now.

    (heyrick: same...)

    Happy Ranter: regardless of what their motivations are, the fact is that an *app* (as opposed to a real browser, even on a mobile device) does not have a URL bar, so the minimum protection we normally have when we get a 301 -- the fact that we can *see* the new URL in the bar -- does not exist here.

    That is the issue, I think.

  10. PeterM42
    FAIL

    Of course Apple Products are not vunerable to attacks

    Oh Wait.....

This topic is closed for new posts.

Other stories you might like