Apple iOS Apps Can Easily Be Hijacked, Researchers Say


Many apps on iPhones and iPads are vulnerable to Web-based attacks that could feed false information to the user, Israeli security researchers planned to demonstrate today (Oct. 29).

In a presentation at the RSA Conference Europe in Amsterdam, Adi Sharabani and Yair Amit of Tel Aviv-based Skycure were to show that apps gathering content from the Internet over a malicious or compromised Wi-Fi network could have their traffic redirected to malicious servers.

That's sort of a tautological statement — bad connections can lead to bad results — but the Skycure researchers found that they could make app content requests permanently redirect to malicious servers by using an HTTP "301" command.

MORE: How to Keep Your Smartphone or Tablet Secure

That's a simple response by a Web server instructing the requesting client — in this case, the iOS app — that a server's URL has been permanently moved, and to send all future traffic to the new URL instead.

Of course, the real server's URL hasn't changed at all. The 301 command is abused to make the requesting app merely think it has.

In a computer's Web browser, this is not such a big deal. If the user glanced at the address bar, he'd see he was someplace he didn't want to be. But mobile apps that make calls to Web servers don't display their Web traffic to the user.

The Skycure researchers pointed out that news and stock-market apps constantly make calls to remote Web servers for updated information, and that it would be simple to point those calls elsewhere.

"If a victim's app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phony news supplied by the attacker's server," Amit wrote in a posting on Skycure's blog.

Here's how this exploit, which the Skycure reseachers call "HTTP request hijacking," would work: An iPhone user walks into a Starbucks and connects to the open Wi-Fi network to read the latest news on an iOS news app.

A malicious hacker on the same Wi-Fi network intercepts the Wi-Fi traffic from that app and redirects it to a server he controls.

That malicious server mimics the app's real content server, but adds a 301 command instructing the app that the real content server has permanently moved its URL to that of the malicious server, and that all future requests for content should go straight to that new URL.

"This brings us to a philosophical question," wrote Amit on the Skycure blog. "When someone gets up in the morning and reads news via her iPhone, how sure can she be that the reports she reads are genuine and not fake ones planted by a hacker?"

The Skycure researchers tested several iOS apps and found about half to be vulnerable to HTTP request hijacking. They're not revealing which apps those are.

In their blog posting and presentation slides, the researchers didn't say whether the problem affects apps on other mobile platforms, such as Android, Windows Phone or Windows RT. But because the exploit relies on internal app coding and HTTP, it's likely that apps on other platforms could also be affected.

The Skycure researchers recommended that all app makers make sure their content requests are sent over secure, or HTTPS, connections rather than insecure, regular HTTP. 

That wouldn't quite solve the problem, which would have to be permanently fixed with some code changes, but it would mitigate it.

Users of iOS devices — and of Android and other mobile platforms as well — concerned about such attacks should equip their devices with VPN software that will create secure connections even over insecure Wi-Fi networks.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.