Using a man-in-the-middle attack, hackers could exploit a vulnerability in many high-profile iOS apps, allowing them to repeatedly direct traffic from the app to a different server, according to a team of researchers at Israeli startup Skycure. The team announced the discovery of the vulnerability discovery at the RSA Europe conference and in an accompanying blog post.
According to Skycure, many iOS apps are vulnerable to an attack the company has dubbed “HTTP Request Hijacking.” The hack involves manipulating HTTP status code 301 Moved Permanently, which is used to redirect Web traffic to a new URL. Many apps, like browsers, cache the address redirection and automatically reuse it to save time. Yet while such redirections are clear in a browser, where the URL is displayed in the search bar, they are generally less apparent in apps. As a result, it would be easy for an attacker to manipulate an app to permanently load data from a malicious server without the user having any idea.
Using a man-in-the-middle attack to gain access to a mobile application, a hacker can then point traffic toward a malicious server and persistently control HTTP traffic in the app. While the effect of such an attack is limited by the need for the attacker to be physically close to the victim to perform the initial hijacking, the implications are relatively far-reaching. Skycure CTO Yair Amit explained that cache attacks have generally been overlooked in native apps due to the limited possibilities of a typical cache poisoning attack.
“[B]y performing a classical cache poisoning attack (e.g., returning a fake json/XML response with cache-control directives) on native apps, the impact is very limited,” Amit wrote. “In such attacks, since the cached response is static by nature (as long as the native app does not rely on an embedded browser to render it), the attacker would not be able to persistently view, control or manipulate the apps’ traffic. On the other hand, HRH attacks give the attacker remote and persistent control over the victim’s app.”
Handling the problem
Skycure’s findings suggested that a large number of iOS apps are likely susceptible to the HRH vulnerability. The company ran manual tests on many high-profile apps and discovered that the issue was common.
“Due to the fact [that] almost half of them were susceptible to HRH, we estimate that the number of vulnerable apps is very large, probably tens of thousands,” Amit told Ars Technica.
Researchers urged iOS developers to include safeguards to prevent such attacks in their apps. By using an encrypted HTTPS protocol instead of HTTP for requests between the app and its designated server, the attack can be avoided. Additionally, developers can build in a workaround to avoid 301 redirection caching altogether. By writing in tighter software security controls during the coding process and using approaches like code review to scan for simple oversights, app developers can avoid exposing users to these types of basic but malicious threats.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.