Apple adds encryption to App Store connections, addresses six month old hole
At least six months after being alerted to a possible exploit in the way users connect to its App Store, Apple has added encryption to users' connections, plugging the security hole.
Google security researcher Elie Bursztein said on his blog that he alerted Apple of the potential for attack in July of last year, with the flaw affecting users connected to the App Store, reports CNet. The vulnerability Bursztein pointed out was made possible by Apple's use of the non-encrypted HTTP protocol instead of HTTPS for certain parts of communication with the App Store.
Bursztein pointed out that, in theory, a malicious network attacker could exploit the use of HTTP to steal user passwords, force users to install a specific app instead of the one they were looking for, trick users into downloading fake app upgrades, prevent application installation, or scan the apps on a user's device.
Bursztein published a number of videos detailing how the attacks might work, as well as additional technical details on the attack methodology earlier this year.
In an Apple Web Server notifications update published on Feb. 23, Apple addressed the issue. Active content is now served over HTTPS by default. Apple acknowledged Bursztein for pointing out the issue, as well as Bernhard Brehm of Recurity Labs and Rahul Iyer of Bejoi LLC.
The App Store has periodically been the target of attacks in the past. In 2010, Apple tightened security for the online marketplace following incidences of account fraud that saw some users hit with several hundred dollars worth of erroneous charges.
In April of 2012, Apple again updated its security protocols, adding a measure requiring users to fill out security questions to be associated with their accounts. In the event that a user signs on from a new device, iTunes and the App Store now requires them to answer the questions in order to verify their identity.