Two mobile security experts have uncovered a simple coding vulnerability that is widespread among applications on Apple's iOS platform. If exploited in the wild, the flaw would
Speaking about the issue at RSA Conference Europe 2013 in Amsterdam, the Netherlands, CEO Adi Sharabani and Chief Technology Officer Yair Amit, co-founders of Israel-based mobile security vendor Skycure, have provided details on the iOS app vulnerability, which stems from a commonly used approach to URL caching. The issue is so pervasive among iOS apps that the pair could not take the traditional route of notifying the vendors of vulnerable apps privately, according to Amit. Instead, they hope that vendors will become aware of the problem through their presentation at RSA Europe and act quickly to implement code they have provided to address the caching error.
The vulnerability, dubbed HTTP request hijacking by the pair, first requires a man-in-the-middle scenario, where a hacker sets up a Wi-Fi network in a public setting and captures information allowing attacks on unsuspecting victims. When a mobile application attempts to request information from a server, an attacker who intercepts the traffic can simply send a 301 "moved permanently" HTTP response status code back to the app, which enables the attacker to replace the vendor's server with their own as the hub of communication for the app.
This coding error is particularly problematic for mobile apps, according to Amit, because they cache the 301 response permanently, regardless of whether the victim is still connected to the same Wi-Fi network. When compared to how Web browsers show the URL being visited in the address bar, mobile apps also typically do not display the servers from which they retrieve information, leaving a victim clueless as to whether they are viewing legitimate content. Outside of a user uninstalling an app, Amit said attackers could control an app indefinitely via this simple exploit.
As for why attackers would choose this avenue of exploit, Amit pointed to the real-world example of the Syrian Electronic Army hacking the Twitter feed of the Associated Press and sending out tweets that caused U.S. stock markets to temporarily plummet. The markets obviously corrected when the attack was discovered, but one reason the discovery came quickly was because this particular attack used a compromised account belonging to the Associated Press. The company was almost immediately aware of the problem. Amit noted that the newly discovered vulnerability could be targeted at specific traders on Wall Street, for example, with little chance of discovery, as only the traders whose apps had been compromised would see the bogus content.
"We rely so much on our iPhones, and we rely on the apps in there and think of the app as something solid," Amit commented. "It makes you think: When you read the news this morning, did you read the real news or was it just fake information that the attacker is sending to you?"
Though the Israeli researchers have verified this issue only for apps on the iOS platform, Amit did note that certain Android applications could also be vulnerable to similar problems. Regardless, Amit said that there is too much confidence in the security of mobile apps. Due to the approach that Apple and Google have taken with their respective app stores, which he conceded has been effective from a security perspective, many users are simply overlooking the coding problems that can occur in any application.
"Ten years ago, everyone thought Web application vulnerabilities didn't really have importance, but today, we all know how important it is to secure your Web applications and how easy it is to exploit them," Amit said. "What I foresee -- and I already see the trend getting larger -- is that there will be problems with application code in mobile devices. I think Apple and Google have done a great job, but again, it's just inevitable. Coding problems always happen, and they have security implications."