Skip to main content

Apple boosts App Store security with new HTTPS connections

Get busy, hackers, because Apple has just made it a little bit tougher for you to mess with someone's digital life via their connection to the App Store. According to Google researcher and security enthusiast Elie Bursztein, Apple's finally flipped the switch and is now forcing all iOS fans to use HTTPS connections when they use their devices to talk to the App Store.

The benefit? It's going to be a lot trickier for those slumming around an Internet café or other public Wifi spot to pull a man-in-the-middle attack – as might have been the case with one's previously unencrypted connection between an iPhone or iPad and the App Store app. Or, as Bursztein puts it, "Being on the same networks as the victims is all it takes" in regards to the ease at which a number of attacks could be mounted against an unsuspecting iOS user.

In his blog post, Bursztein lists a number of examples by which an attacker could have affected those using an unencrypted connection to the App Store on their devices. Take, for example, a simple bit of password stealing:

"The user opens the App Store, which will trigger the App Store app to fetch the list of update available from the server. The attacker intercepts the reply and injects a javascript prompt into it that asks for the user Apple Id password. From the user's perspective it seems that opening the application triggered the prompt which is very deceiving. The password is then exfiltrated by including it into a script insertion url," Bursztein describes.

But that's not all.

Attackers could also allegedly force a user to install a completely different application than the one he or she initially selected (or purchased) with a bit of on-the-fly code swapping. Bursztein also describes a method by which attackers could trick a user into installing an app by "manipulating existing app upgrades" or, if an attacker is feeling particularly clever, preventing an iOS user from installing an app as-is.

Additionally, those taking a peak at the unencrypted communications between a user and the App Store would be able to get their hands on a full list of apps that said user has installed on his or her device.

"I decided to render those attacks public, in the hope that it will lead more developers (in particular mobile ones) to enable HTTPS. Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication," Bursztein writes.