Major App Store Vulnerability Leaves/Left Users Vulnerable to Password Theft

[SomeDudeAsking]

After leaving users exposed, Apple fully HTTPS-protects iOS App Store

Image from video demonstrating a password attack that was possible because Apple didn't fully encrypt traffic traveling between its App Store and end users.

For the past nine months—and possibly for years—Apple has unnecessarily left many of its iOS customers open to attack because engineers failed to implement standard technology that encrypts all traffic traveling between handsets and the company's App Store.

While HTTPS-encrypted communications have been used for years to prevent attackers from intercepting and manipulating sensitive traffic sent by online banks and merchants, the native iOS app that connects to Apple's App Store fully deployed the protection only recently. Elie Bursztein, a Google researcher who said he discovered the security hole in his spare time, said in a blog post published on Friday that he reported various iOS flaws to Apple's security team in July. His post gave no indication that the iOS app had ever fully used HTTPS, raising the possibility that this significant omission has been present for years. (Apple doesn't comment on security matters, so it's impossible for Ars to confirm the precise timeline or level of protection.)

....

Apple's failure to fully offer HTTPS for customers using their iOS app posed an unnecessary risk to anyone who has ever used their iPhone or iPad to download an app over an unsecured Wi-Fi connection. Attackers connected to the same network could use a variety of freely available tools and a clever social-engineering trick to retrieve passwords or other log-in credentials. Worse, they could set up fake App Stores that would issue fake apps and upgrades instead of the ones that would normally be issued by Apple's legitimate store.

.......

http://arstechnica.com/security/2013/03/after-leaving-users-exposed-apple-finally-https-protects-ios-app-store/

I'm surprised this isn't on the MacRumors front page since it is so important to know for users who have had their Apple accounts compromised in the past years. It is also unclear if you need the latest version of iOS with the latest version of the Apple App Store to be protected.

 

[S.B.G]

What's the source of this article?

 

[SomeDudeAsking]

What's the source of this article?

Oops, forgot the ArsTechnica link. OP edited.

 

[S.B.G]

Oops, forgot the ArsTechnica link. OP edited.

Don't forget, you can also send tips to the editors for a story.

https://www.macrumors.com/share.php

 

[DMH3006]

Over an unsecure wifi connection.
Besides who's going to analyze data from the wifi hotspots?(i suppose thats what they mean by insecure wifi connections since most wifi home connections come with a password by default)

 

[SomeDudeAsking]

Over an unsecure wifi connection.
Besides who's going to analyze data from the wifi hotspots?(i suppose thats what they mean by insecure wifi connections since most wifi home connections come with a password by default)

You must be joking right? Ever heard of Firesheep? Or how about Droidsheep that runs on Android phones? Sniffing wifi hotspots is easy to do.

And "unsecured Wi-Fi connection" does not just mean wifi hotspots with no password, it can also be wifi connections with passwords where the attacker is also connected. Ever been to a StarBucks, McDonalds, university or an airport? Yeah. An attacker can also just have his own public wifi hotspot with a familiar name and bam, you are owned.

 

[macUser2007]

Over an unsecure wifi connection.
Besides who's going to analyze data from the wifi hotspots?(i suppose thats what they mean by insecure wifi connections since most wifi home connections come with a password by default)

Uhm, people who are at best bored, or at worst malicious....

Half of the Starbucks patrons I see are browsing the internets, often on iOS devices.

This is a real issue and I cannot believe anyone halfway reasonable can defend Apple for ignoring it for so long.

 

[DMH3006]

You must be joking right? Ever heard of Firesheep? Or how about Droidsheep that runs on Android phones? Sniffing wifi hotspots is easy to do.

And "unsecured Wi-Fi connection" does not just mean wifi hotspots with no password, it can also be wifi connections with passwords where the attacker is also connected. Ever been to a StarBucks, McDonalds, university or an airport? Yeah. An attacker can also just have his own public wifi hotspot with a familiar name and bam, you are owned.

its then an issue to the place you are connected to.
while they should have protected it better they didn't but there's still some good sense in using important data on wifi places that you know are very reliable.

Do you access banking information on those wifi hotspots? of course not,an apple id to me applies the same way as it as credit card information too.

you can of course feel different about this

 

[SomeDudeAsking]

its then an issue to the place you are connected to.
while they should have protected it better they didn't but there's still some good sense in using important data on wifi places that you know are very reliable.

Do you access banking information on those wifi hotspots? of course not,an apple id to me applies the same way as it as credit card information too.

you can of course feel different about this

So its no fault of Apple's for not using basic encryption properly, huh? And are you going to start body searching everyone at a public wifi hotspot to see if they have a device running Firesheep, Droidsheep, or any number of intercept tool's?

 

[aristobrat]

Do you access banking information on those wifi hotspots?

I do, but I'm comfortable with how https works.

Thing is, using a browser to access your bank, the browser will show you the icon that indicates when your data is being encrypted. Most use a lock icon. So if the bank screws up an area of their website and makes it not secure, you will know.

The App Store app doesn't give you any visible icon that shows if your data is being sent securely or not. If Apple screws up a part of their store (like they apparently did), you're vulnerable.

I'd guess that 99% folks trusted Apple to have done App Store security properly, meaning there would be no reason NOT to use it on public wifi.

 

[SomeDudeAsking]

So it was no big deal that our Apple ID passwords could have been intercepted for years and could still be vulnerable if you don't have the latest version of iOS? And it is no big deal that Apple knew about this basic vulnerability since the middle of last year but still doesn't publicize a basic vulnerability report besides a sentence or two recognizing the Google employee that found it? Sweeping it under the rug is not how you handle security.

 

[clauzzz203]

So it was no big deal that our Apple ID passwords could have been intercepted for years and could still be vulnerable if you don't have the latest version of iOS? And it is no big deal that Apple knew about this basic vulnerability since the middle of last year but still doesn't publicize a basic vulnerability report besides a sentence or two recognizing the Google employee that found it? Sweeping it under the rug is not how you handle security.

So you change your password, what the hell man... Even that is useless, if somebody got your password they would have used it by now, if they didn't you can keep it, i'll let you lose sleep over it.

 

[aristobrat]

And it is no big deal that Apple knew about this basic vulnerability since the middle of last year but still doesn't publicize a basic vulnerability report besides a sentence or two recognizing the Google employee that found it? Sweeping it under the rug is not how you handle security.

IMO, the part above isn't a big deal because that's how Apple's always treated 99.99% of vulnerabilities. It's not like they're going out of their way to treat this one any differently.

So you change your password, what the hell man... Even that is useless, if somebody got your password they would have used it by now, if they didn't you can keep it, i'll let you lose sleep over it.

IIRC, there are more than a few threads on MacRumors from folks who have had their iTunes account hacked (i.e. someone got their password and charged up a bunch of stuff), despite the fact that they used a unique and complex password. Some folks had their accounts hacked MULTIPLE TIMES, even after changing their passwords.

It's interesting to me that Apple's "answer" to that was to require that the credit card information be verified when a purchase is made for the first time on a new machine. Not that this method does anything to protect your iCloud stuff (email, etc).

Oh well, at least there's an answer as to how these folks could have been continually hacked.

 

[SomeDudeAsking]

So you change your password, what the hell man... Even that is useless, if somebody got your password they would have used it by now, if they didn't you can keep it, i'll let you lose sleep over it.

If someone got hold of your password, you may not even know about it if their goal was to continually steal all your iCloud documents, read your email, and receive all your iMessages. It is not right that Apple just tried to sweep this under the rug when they should force a password reset for everyone.

 

[DMH3006]

IMO, the part above isn't a big deal because that's how Apple's always treated 99.99% of vulnerabilities. It's not like they're going out of their way to treat this one any differently.


IIRC, there are more than a few threads on MacRumors from folks who have had their iTunes account hacked (i.e. someone got their password and charged up a bunch of stuff), despite the fact that they used a unique and complex password. Some folks had their accounts hacked MULTIPLE TIMES, even after changing their passwords.

It's interesting to me that Apple's "answer" to that was to require that the credit card information be verified when a purchase is made for the first time on a new machine. Not that this method does anything to protect your iCloud stuff (email, etc).

Oh well, at least there's an answer as to how these folks could have been continually hacked.

Oh please most people that got their accounts hacked properly got their computer hacked, I think if you get hacked multiple times in the same account is because someone has gotten access to your device somehow.

 

[aristobrat]

Oh please most people that got their accounts hacked properly got their computer hacked, I think if you get hacked multiple times in the same account is because someone has gotten access to your device somehow.

Who knows.

You'd think that if someone hacked into your computer, they'd be after something a little more lucrative than your Apple ID, right? Perhaps your banking and credit card account information?

Then again, if people are only intercepting your information by sniffing traffic on wireless networks (work, school, airports, restaurants), they would only be able to get your Apple ID information, because unlike the App Store, the banks and credit card sites keep it 100% SSL encrypted.

 

[bozzykid]

Who knows.

You'd think that if someone hacked into your computer, they'd be after something a little more lucrative than your Apple ID, right? Perhaps your banking and credit card account information?

Considering most people have credit card/payment information tied to their apple id, it isn't necessary to have credit card information. Like the researcher said who posted this security issue, hackers could use it to buy apps without the user's knowledge. So you just need some overpriced apps to make it happen. But the researcher didn't release the info until after Apple fixed it, so there doesn't appear to be anyone using this security hole as far as anyone knows.

 

[0dev]

Apple was stupid for not implementing full HTTPS for the App Store but, that said, you are also stupid if you log into sensitive accounts over unsecured WiFi connections. This is why I never use those things, I just use the data on my phone, because it's a connection I know is reasonably secure - it's a lot harder to intercept a 3G connection than it is to sniff an open WiFi network after all.

 

[cyks]

You'd think that if someone hacked into your computer, they'd be after something a little more lucrative than your Apple ID, right? Perhaps your banking and credit card account information?

In many cases, access to someone's full iCloud backup is more valuable than their bank account.

 

[SomeDudeAsking]

Apple was stupid for not implementing full HTTPS for the App Store but, that said, you are also stupid if you log into sensitive accounts over unsecured WiFi connections. This is why I never use those things, I just use the data on my phone, because it's a connection I know is reasonably secure - it's a lot harder to intercept a 3G connection than it is to sniff an open WiFi network after all.

Average users probably don't know and shouldn't have to know these details, it should just work. An average user probably isn't going to care what connection they are connected to as long as it works. And a 3G connection isn't going to help someone with an iPod or wifi only iPad.

 

[0dev]

Average users probably don't know and shouldn't have to know these details, it should just work. An average user probably isn't going to care what connection they are connected to as long as it works. And a 3G connection isn't going to help someone with an iPod or wifi only iPad.

Well then average users can enjoy having their details stolen for not bothering to make sure they're being secure. The fact that such ignorance is encouraged is a problem. Why do you think people still bother phishing? Because some idiot will always fall for it because they don't think they "need to know this stuff."

If people must use an open WiFi network they should always do it through a VPN. Simple as that really.

Oh, and I use my iPhone's 3G connection on my Nexus 7 all the time. That personal hotspot feature is there for a reason after all.

 

[SomeDudeAsking]

Well then average users can enjoy having their details stolen for not bothering to make sure they're being secure. The fact that such ignorance is encouraged is a problem. Why do you think people still bother phishing? Because some idiot will always fall for it because they don't think they "need to know this stuff."

If people must use an open WiFi network they should always do it through a VPN. Simple as that really.

Oh, and I use my iPhone's 3G connection on my Nexus 7 all the time. That personal hotspot feature is there for a reason after all.

And then you try to explain what VPN is to an average user and they stare at you with a blank face. And then you tell them that they will have to pay a monthly fee to use a VPN and that it will cause increased lag and decreased bandwidth. And then you mention that all this extra encryption causes decreased battery life. To which, they rip their phone back from your hands.

Oh, and tethering through your phone's wifi hotspot costs extra, too. And it causes decreased battery life and you can't get high quality streaming video through 3G. And you run the risk of blowing through your data cap.

Why even bother having SSL if you think a VPN can take care of the connection security? VPN connections have to travel through the regular Internet to reach the original host so Apple not having full encryption would still leave users vulnerable to password theft if an attacker were to intercept somewhere further down the line.

 

[0dev]

And then you try to explain what VPN is to an average user and they stare at you with a blank face. And then you tell them that they will have to pay a monthly fee to use a VPN and that it will cause increased lag and decreased bandwidth. And then you mention that all this extra encryption causes decreased battery life. To which, they rip their phone back from your hands.

Oh, and tethering through your phone's wifi hotspot costs extra, too. And it causes decreased battery life and you can't get high quality streaming video through 3G. And you run the risk of blowing through your data cap.

Why even bother having SSL if you think a VPN can take care of the connection security? VPN connections have to travel through the regular Internet to reach the original host so Apple not having full encryption would still leave users vulnerable to password theft if an attacker were to intercept somewhere further down the line.

Easy: "A VPN is a secure tunnel which protects everything you go on from other people on the network." Boom. And I have never seen evidence of VPNs reducing speed, bandwidth, or battery life. And the price is negligible. £5 a month can get you a decent VPN, that's nothing.

Unlimited tethering is included in my plan, although I'm in the UK and I know US phone plans are terrible compared to ours.

VPN connections are a secure tunnel from your device to the VPN server, so no one on that WiFi network can intercept your connection. I don't know what you mean by attacks further down the line unless you think the VPN provider themselves will sniff your traffic?

 

[SomeDudeAsking]

Easy: "A VPN is a secure tunnel which protects everything you go on from other people on the network." Boom. And I have never seen evidence of VPNs reducing speed, bandwidth, or battery life. And the price is negligible. £5 a month can get you a decent VPN, that's nothing.

Unlimited tethering is included in my plan, although I'm in the UK and I know US phone plans are terrible compared to ours.

VPN connections are a secure tunnel from your device to the VPN server, so no one on that WiFi network can intercept your connection. I don't know what you mean by attacks further down the line unless you think the VPN provider themselves will sniff your traffic?

Using a VPN can definitely cause noticeable lag and decreased bandwith:

Is there an overhead or slowdown when using the VPN?

I'm afraid the answer is, it depends!

There is a very slight overhead when using a secure encrypted VPN tunnel, however, in tests, we have found this to be negligible when compared with ebb and flow of the wider Internet bandwidth, for example local ADSL/Cable contention, or inter country contention etc.

By far the biggest issue is the fact that when connected to us, ALL your traffic is going via our server which is probably in another country and possibly the other side of the world from you. For example, if you are in Australia and connected to our service in the UK, and then say download a file from Singapore, that file is going from Singapore, to the UK and then back to Australia, which will make a big impact on the throughput. If however, you are connected to our UK service and download a file from the UK, you should see almost no difference in the throughput.

The other significant factor is the bandwidth and usage between your location and the country you are connecting to. For example, Singapore has very good Internet connections within the country with most homes having access to a 100Mb connection, however, all those fast Internet connections quickly saturate the links from Singapore to the rest of the Internet and as a result, connections from Singapore to Europe vary greatly depending on the time of day. This is also true of many countries, where the local Internet connections are good, but the links out of the country are over utilised.

https://www.my-private-network.co.uk/knowledge-base/service-related/vpnoverhead.html

All that encryption and decryption is not free. You have to make the processor do the extra work which results in decreased battery life.

And if you want to tether in the US, those plans cost at least $20 extra according to the carrier guide at http://www.pcworld.com/article/261928/the_ultimate_android_tethering_guide.html

That means, with your solution, a person would have to pay an extra $20 + $7.50 (£5) = $27.50 per month just for these workarounds. You don't have to look hard to see why your suggestion will get laughed at by most people.

And a VPN connection is not totally secure from end to end. Your VPN connection terminates at your VPN host, they then have to send the traffic over the regular internet to reach the intended target, in this case Apple. At attacker could still sniff this portion of the link and steal your passwords. A proper SSL connection would prevent this.

And there is another major draw back of using a VPN: Nothing on your home network will be able to connect to each other. This means that iTunes wireless sync, iTunes wireless backup, Apple TV remote app, NAS, Airplay, etc.... will not work.

 

[bozzykid]

Apple was stupid for not implementing full HTTPS for the App Store but, that said, you are also stupid if you log into sensitive accounts over unsecured WiFi connections. This is why I never use those things, I just use the data on my phone, because it's a connection I know is reasonably secure - it's a lot harder to intercept a 3G connection than it is to sniff an open WiFi network after all.

If you login to an unsecure wifi hotspot (which for business travelers is sometimes a requirement), you can't help but have sensitive data sent over the network. Most of this happens in the background without the users consent. You can't blame users for that.