clock menu more-arrow no yes

Filed under:

Apple belatedly patches App Store vulnerability

New, 64 comments
Apple ID password
Apple ID password

Last July, a security researcher at Google discovered a number of vulnerabilities in Apple's iOS App Store that stemmed from Apple's failure to implement HTTPS encryption. Some six months later, Apple finally started using HTTPS in the App Store (see the 2013-01-23 update), and now the researcher has released his findings and the issues that could have plagued iOS users had the exploits become widely utilized. As Elie Bursztein describes in his blog, the lack of App Store encryption could have let malicious users hijack an iOS user's password, force users to download different apps than ones they mean to, prevent app installs altogether, or manipulate app upgrades so users would install different apps than they meant to. In some cases, these app-swapping techniques could have led users to purchase apps when they meant to download free ones. While you'd need to be on the same Wi-Fi network as your attacker for these vulnerabilities to be exploited, that's hardly an uncommon scenario in public places like airports or coffee shops.

The password-theft vulnerability is particularly troubling — as we learned last summer, hackers can cause an awful lot of damage once they have control of a user's Apple ID. It's also surprising that it took Apple some six months to fix this situation — Bursztein said that he alerted Apple to his findings back in early July of 2012, and Apple only turned on HTTPS encryption at the end of January. Furthermore, the App Store existed for years without having HTTPS encryption; fortunately, it doesn't appear that these vulnerabilities ever reached mass awareness. Still, if Apple wants to keep poking fun at security issues on Android, it'll probably want to plug these kinds of vulnerabilities faster in the future.