Apple iOS Apps Can Easily Be Hijacked, Researchers Say

Many apps on iPhones and iPads are vulnerable to Web-based attacks that could feed false information to the user, Israeli security researchers planned to demonstrate today (Oct. 29).

In a presentation at the RSA Conference Europe in Amsterdam, Adi Sharabani and Yair Amit of Tel Aviv-based Skycure were to show that apps gathering content from the Internet over a malicious or compromised Wi-Fi network could have their traffic redirected to malicious servers.

That's sort of a tautological statement — bad connections can lead to bad results — but the Skycure researchers found that they could make app content requests permanently redirect to malicious servers by using an HTTP "301" command.

MORE: How to Keep Your Smartphone or Tablet Secure

That's a simple response by a Web server instructing the requesting client — in this case, the iOS app — that a server's URL has been permanently moved, and to send all future traffic to the new URL instead.

Of course, the real server's URL hasn't changed at all. The 301 command is abused to make the requesting app merely think it has.

In a computer's Web browser, this is not such a big deal. If the user glanced at the address bar, he'd see he was someplace he didn't want to be. But mobile apps that make calls to Web servers don't display their Web traffic to the user.

The Skycure researchers pointed out that news and stock-market apps constantly make calls to remote Web servers for updated information, and that it would be simple to point those calls elsewhere.

"If a victim's app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phony news supplied by the attacker's server," Amit wrote in a posting on Skycure's blog.

Here's how this exploit, which the Skycure reseachers call "HTTP request hijacking," would work: An iPhone user walks into a Starbucks and connects to the open Wi-Fi network to read the latest news on an iOS news app.

A malicious hacker on the same Wi-Fi network intercepts the Wi-Fi traffic from that app and redirects it to a server he controls.

That malicious server mimics the app's real content server, but adds a 301 command instructing the app that the real content server has permanently moved its URL to that of the malicious server, and that all future requests for content should go straight to that new URL.

HTTP Requet Hijacking

"This brings us to a philosophical question," wrote Amit on the Skycure blog. "When someone gets up in the morning and reads news via her iPhone, how sure can she be that the reports she reads are genuine and not fake ones planted by a hacker?"

The Skycure researchers tested several iOS apps and found about half to be vulnerable to HTTP request hijacking. They're not revealing which apps those are.

In their blog posting and presentation slides, the researchers didn't say whether the problem affects apps on other mobile platforms, such as Android, Windows Phone or Windows RT. But because the exploit relies on internal app coding and HTTP, it's likely that apps on other platforms could also be affected.

The Skycure researchers recommended that all app makers make sure their content requests are sent over secure, or HTTPS, connections rather than insecure, regular HTTP. 

That wouldn't quite solve the problem, which would have to be permanently fixed with some code changes, but it would mitigate it.

Users of iOS devices — and of Android and other mobile platforms as well — concerned about such attacks should equip their devices with VPN software that will create secure connections even over insecure Wi-Fi networks.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • SHOCK!!!

    (not really)
  • I hope this will shut up all the noobs claiming that "Apple is taking care of them, so they don't have to".
    It all comes down to user's common sense, in this case, do not connect to wonky networks, just like in Android's case the lesson was 'do not modify the default security settings if you don't know what they mean'.
    iOS is NOT more secure than Android, and this proves it (yet again). Sleep on it.
  • The problem you miss house70, is that even leaving the default settings in place you can still easily load garbage onto your Android device from the Play Store. My wife ended up getting bombarded with countless apps delivering spam directly to the phone (in the status bar as well as other places). No settings were changed. She is a regular user, they do not check the permissions over and over again with each app install.

    Neither systems are safe from having problems, but the problem posed by these researchers requires such an elaborate setup that most will never encounter it. Compare that to an app you can install from the Play Store that delivers crap all the time, some of which will prompt you to install other apps, that's a bigger problem.