Researchers discover flaw in iOS that allows some apps to be hijacked

ios security

Researchers on Tuesday revealed a simple attack that exploits a newly-discovered vulnerability in iOS apps. The defect allows an app to be manipulated to display fraudulent information and discreetly intercept data sent by the end user.

Israel-based Skycure stumbled onto the problem when the team noticed their own app redirecting to a wrong address. It wasn’t long before they realized they could do this with other apps, too, and decided it was worth further investigation…

https://www.youtube.com/watch?v=wByvUoe7pHw

For the redirection to happen, a hacker must first perform an attack over an unsecured Wi-Fi connection. Then, when the end user opens a vulnerable app, the attacker will be able to intercept the HTTP connection and gain full control.

Here’s a nice overview of the vulnerability by Skycure’s CTO Yair Amit (via ArsTechnica):

“Nowadays almost all mobile applications interact with a server to send or retrieve data, whether it’s information to display or commands to be executed. Many of these applications are susceptible to a simple attack, in which the attacker can persistently alter the server URL from which the app loads its data (e.g., instead of loading the data from real.site the attack makes the app persistently load the data from attacker.site).

While the problem is generic and can occur in any application that interacts with a server, the implications of HRH for news and stock-exchange apps are particularly interesting. It is commonplace for people to read the news through their smartphones and tablets, and trust what they read. If a victim’s app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phoney news supplied by the attacker’s server. Upon testing a variety of high profile apps, we found many of them vulnerable.”

And for even more context, here’s a video demonstrating how such an attack would work:

http://www.youtube.com/watch?v=_X8ovx9vMZM

There are a few things worth noting here. For one, the team says apps that implement HTTPS cryptographic protections aren’t susceptible to the hack (unless a malicious profile has been installed), and they aren’t sure this is limited to iOS.

If you’re a developer, Skycure offers up a simple tutorial on how to ensure your apps don’t fall prey to request hijacking. And the team says that end users who are concerned an app may have been hijacked should remove it and reinstall it.