It’s a variant of a man-in-the-middle attack known as HTTP Request Hijacking (HRH), and it’s a potentially big problem for iPhone developers and consumers alike considering that large numbers of mobile apps have been found to be susceptible.
Nearly all mobile applications interact with a server to send or retrieve data, explained Yair Amit, CTO and co-founder at Skycure, who uncovered the vulnerability. Whether it’s information to display or commands to be executed, the communication back and forth with a server URL makes many of these applications susceptible to a simple attack, in which the attacker can persistently alter that server URL to load the data from the attacker’s site of choice.
“While the problem is generic and can occur in any application that interacts with a server, the implications of HRH for news and stock-exchange apps are particularly interesting,” said Amit, in a blog. “It is commonplace for people to read the news through their smartphones and tablets, and trust what they read. If a victim’s app is successfully attacked, s/he is no longer reading the news from a genuine news provider, but instead phony news supplied by the attacker’s server. Upon testing a variety of high profile apps, we found many of them vulnerable.”
So in other words, when someone gets up in the morning and reads news via their iPhone over breakfast, how sure can they be that the reports they reading are genuine and not fake ones planted by a hacker?
The issue isn’t confined to the potential for bogus news items, either. There are also ramifications in terms of info-stealing and phishing via spoofed pages. Unfortunately, the issue appears to be endemic.
“One evening, Assaf Hefetz and Roy Iarchy, two Skycure engineers, called me over and told me they had come across a weird redirection bug in our product,” Amit explained. “We started discussing it when it suddenly hit me that this ‘bug’ might in fact be a widespread vulnerability waiting to be discovered.”
He added, “We went on to test a bunch of high profile applications, and were amazed to find that about half of them were susceptible to HRH attacks. Focusing on leading app store news apps, we found many of them vulnerable and easy to exploit.”
The problem is so widespread that the firm gave up on notifying individual app vendors of the flaws. “Unlike most vulnerabilities, where a responsible disclosure could be made in private to the vendor in charge of the vulnerable app, we soon realized that HTTP Request Hijacking affects a staggering number of iOS applications, rendering the attempt to alert vendors individually virtually impossible,” Amit said.
From a technical standpoint, the problem revolves around the impact of HTTP redirections caching in mobile applications, as he explained in a lengthy analysis. It starts with a man-in-the-middle scenario: When the vulnerable app sends a request to its designated server, the attacker simply captures it and returns a 301 HTTP redirection to an attacker-controlled server.
“Many iOS applications cache HTTP status code 301 when received over the network as a response,” he wrote. “While the 301 Moved Permanently HTTP response has valuable uses, it also has severe security ramifications on mobile apps, as it could allow a malicious attacker to persistently alter and remotely control the way the application functions, without any reasonable way for the victim to know about it.”
To that latter point, he noted that whereas browsers have an address bar, most mobile apps do not visually indicate the server they connect to, making HRH attacks seamless, with very low probability of being identified by the victims.
Even so, if a consumer begins to notice off interfaces or unusual screens or content popping up in mobile apps, the best thing to do is remove the app and then reinstall it. Consumers should also keep apps fully up-to-date, so that when fixes are released, they are installed on your device at the earliest opportunity.