Elie Bursztein of Google reported multiple vulnerabilities to Apple about App Store in July 2012. Apple seems to have finally issued a fix to almost all of them with an implementation of HTTPS last week. App Store (iOS) and native apps on iOS devices are designed in a way to get content from App Store (web). While the App Store (iOS) is a native app, it still pulls out all the data dynamically from server using standard web data like HTML, Javascript and CSS with custom extensions and keywords. Attacks can be carried out by an active network attack that is able to read, intercept and manipulate non-encrypted (HTTP) network traffic as per Elie Bursztein.
Elie on his blog claims that with abuse of the system he can perform various hacks like
Password stealing: Trick the user into disclosing his or her password by using the application update notification mechanism to insert a fake prompt when the App Store is launched.
[youtube]b7MQjLVkekg[/youtube]
– App swapping: Force the user to install/buy the attacker’s app of choice instead of the one the user intended to install/buy. It is possible to swap a free app with a paid app.
[youtube]qTkxmfkw7iQ[/youtube]
– App fake upgrade: Trick the user into installing/buying the attacker’s app of choice by inserting fake app upgrades, or manipulating existing app upgrades.
[youtube]epcS_s2E-rA[/youtube]
– Preventing application installation: Prevent the user from installing/upgrading applications either by stripping the app out of the market or tricking the app into believing it is already installed.
– Privacy leak: The App Store application update mechanism discloses in the clear the list of the applications installed on the device.
This post has been originally posted on Elie Bursztein’s blog.