A group of mobile security researchers say they have discovered a vulnerability in many mobile apps running on iOS that could allow a hacker to hijack the information being provided to a mobile device when used over an unsecured WiFi network.
The researchers at Skycure have more details in this blog post about the vulnerability, and the video above does a decent job of explaining it, but here’s how it works in a nutshell.
When the user goes online and uses a vulnerable app on an unsecured WiFi network, a hacker could trick the app into permanently altering the URL for the server from which it is supposed to get its information. It can even ultimately connect the user to the desired server so that it appears as if he is still receiving the information he’s seeking.
The researchers call it HTTP Request Hijacking (or HRH):
While the problem is generic and can occur in any application that interacts with a server, the implications of HRH for news and stock-exchange apps are particularly interesting. It is commonplace for people to read the news through their smartphones and tablets, and trust what they read. If a victim’s app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phoney news supplied by the attacker’s server. Upon testing a variety of high profile apps, we found many of them vulnerable.
According to Skycure, because many iOS cache this permanent redirection, the user will continue to connect to the malicious server even after the attack is finished.
“A victim walks into Starbucks, connects to the Wi-Fi and uses her favorite apps,” explains Skycure by way of example. “Everything looks and behaves as normal, however an attacker is sitting at a nearby table and performs a silent HRH attack on her apps. The next day, she wakes up at home and logs in to reads the news, but she’s now reading the attacker’s news!”
They do not list which applications the attack was tested on, but they do say they tested “a bunch of high profile applications, and were amazed to find that about half of them were susceptible to HRH attacks.”
“[W]e soon realized that HTTP Request Hijacking affects a staggering number of iOS applications, rendering the attempt to alert vendors individually virtually impossible,” Skycure gives as its reason for going public with the vulnerability. “We therefore chose to reveal the problem, along with clear and detailed fix instructions, to empower developers to fix their code quickly and efficiently, before hackers attempt to exploit it.”