Friday, 8 November 2013

iOS App Vulnerability Could Let Attackers Hijack Your Apps

From Skycure
During a Main-in-the-Middle attack, someone hijacks your connection to a secure site, receiving everything sent by either party and passing it along, possibly with malicious changes. But a MITM attack ends when you disconnect from the network. Not so any longer says Yair Amit from Skycure (the guys who hacked my iPhone). They've apparently uncovered a vulnerability that can permanently change the behavior of apps in iOS.
Meet the HTTP Request Hijacking Attack
Skycure calls it a HTTP Request Hijacking Attack and it begins, Amit said, with a MITM attack. While you're connected to the malicious network, the attacker monitors your traffic and looks for apps retrieving information from servers. Then the attacker intercepts that request and sends a 301 HTTP status code back to the application. This is a permanent redirection error, and tells the browser that the server it's looking for has been permanently moved to another location.
All the vulnerable apps, Amit explained, will cache the change made by the 301 code and continue to connect to the redirected server for the foreseeable future. In a non-malicious scenario, this is great for users since it means faster and more reliable connections. But when the attacker sends his 301 error, it forces the application to start loading information from his server.
The implications are interesting. Amit pointed out that many news and stocks applications don't have URL bars, so it's not clear to the user where the information is coming from. In the case of a compromised news application, Amit said, "now you're reading fake news from the attacker."
Such an attack could be subtle, maybe feeding fake stories or inaccurate stock information to manipulate the market. Or an attacker could conceivably mirror all the information from a news app's server but inject malicious links for phishing, or worse.
Widespread But Unused
The scariest thing Amit told me wasn't what the attack could do, but how widespread it was. Because it's so simple, thousands of apps appear to be affected. So many, that Skycure says that the only way to only way to responsibly disclose the vulnerability was to describe it publicly without revealing the names of affected apps.
The good news is that Amit says his team hasn't seen this particular attack used in the wild. The implication, of course, is that developers should move quickly to update their apps and resolve the issue before someone starts using it. Any developers out there should head over to Skycure for suggestions on how to improve their apps.
Staying Safe
The best thing users can do is to keep their apps up to date, as developers are likely to begin implementing fixes across vulnerable apps. If you think you've already been hit by this particular attack, you should un-install the suspect application and then reinstall it from the App Store.
Avoiding this attack in the future is easier in theory than it is in practice. "It is always safer to not to connect to [unsecured] WiFi networks, but at the end of the day we always do," said Amit. Sometimes, it's not even an issue of convenience as phones are can connect to Wi-Fi networks without user actions. Amit explained, saying that AT&T customers automatically connect to AT&T networks. He also pointed out that if an attacker used malicious profiles, as Skycure did when they hacked my iPhone, not even an SSL connection could stop the attack.
The onus, according to Skycure, is on developers to build their apps to avoid the problem in the first place. And hopefully soon, since the information on the vulnerability is now available.

No comments:

Post a Comment