iOS apps vulnerable to HTTP Request Hijacking attacks

Share this article:
Researchers have determined that the vulnerability can be exploited in several iOS apps.
Researchers have determined that the vulnerability can be exploited in several iOS apps.

After learning of a redirection bug in one of its own iOS products, the researchers at mobile security company Skycure determined that the vulnerability – known as HTTP Request Hijacking (HRH) – can be exploited in several iOS apps.

The first part of the HRH, known as the “injection phase,” is when an attacker changes the logic of the app, Yair Amit, CTO and cofounder of Skycure, told SCMagazine.com on Tuesday. The next part is when the attacker takes control over the app's traffic, even when they are far away.

“The first phase starts with a man-in-the-middle (MiTM) scenario,” Amit said. “That can happen when the victim connects to a coffeeshop, hotel or airport Wi-Fi – a very popular target for MiTM attacks. Then, while the victim uses his applications, the attacker captures the requests they issue and responds with 301 HTTP responses that direct the victim's apps to interact with an attacker's controlled server.”

Amit added, “If the applications honor 301 HTTP responses, they would remember this directive and from that moment on will practically persistently change their logic and keep interacting with the new, attacker-controlled URLs, even though their developers specifically coded these applications to work with their designated servers.”

So, what is the end result for victims? Whether near or far, the attacker has access and control of iOS applications and can essentially alter how they operate.

Amit used a news app as an example, stating that the attacker can modify the content being delivered from the vendor. The CTO added that during his research he has seen stocks, social and even banking apps that are also vulnerable to HRH.

“One interesting example for this would be the huge effect the Syrian Electronic Army had when they hijacked the Associated Press Twitter account earlier this year and tweeted about explosions in the White House and the injury of President Barack Obama,” Amit said. “As you may remember, that led to about $136 billion being erased from the S&P 500 in a matter of three minutes.”

The exploitation is hard to detect for the average user because a successful HRH attack results in “persistent” change of the URLs to which the apps connect and, since most apps do not display web addresses, the owner may go on using the altered app for some time. However, a technical person who analyzes app traffic might be able to make the discovery.

Amit, who posted the findings in a blog post, offered some best practices to avoid getting drawn into this vulnerability.

“As a best practice, it is always advisable to program applications to interact via an encrypted channel, such as HTTPS, instead of HTTP,” Amit said. “However, this is a mitigation of HRH, not a fix. An attacker might utilize techniques such as malicious profiles in order to circumvent the SSL layer, and perform a persistent attack even if the victim removes the malicious profile.

A more thorough fix for HRH would be to change the caching policy of the application to not store persistent redirections, Amit said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Four men charged with stealing Microsoft and U.S. Army trade secrets

Four men charged with stealing Microsoft and U.S. ...

The young men allegedly used SQL injection and stolen logins to gain access to systems at various companies and steal their intellectual property.

Google bumps maximum Chrome bug bounty reward to $15K

A high-quality report with a functional exploit for a sandbox escape will earn a bug hunter $15,000, according to the new reward amounts.

Survey: orgs adopt hybrid cloud environments despite security concerns

Survey: orgs adopt hybrid cloud environments despite security ...

Despite difficulties and concerns regarding security, more than 60 percent of respondents have adopted or plan to adopt a hybrid cloud environment.