Google Research Scientist leads Apple to turn on HTTPS for App Store, fixes many vulnerabilities

“Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Last week Apple finally issued a fix for it and turned on HTTPS for the App Store,” Elie Bursztein blogs. “I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users.”

“The Apple App Store and associated applications, such as the Newsstand, are native applications provided by default with iOS to access/purchase content from the Apple App Store,” Bursztein writes. “While the Apple App Store is a native iOS app, most of its active content, including app pages and the update page, is dynamically rendered from server data. The server data is mostly standard web data (HTML/Javascript/CSS) with custom extensions/keywords.”

Bursztein writes, “The following attacks are carried out by an active network attack that is able to read, intercept and manipulate non-encrypted (HTTP) network traffic. Hence those attacks can be carried on any public Wifi networks including airport or coffee-shops networks. Being on the same networks as the victims is all it takes.”

Much more in the full article here.

MacDailyNews Note: Dr. Elie Bursztein is a research scientist who works at Google’s Mountain View, Calif. headquarters, where he works on methods to fix Internet security and privacy problems.


    1. Maybe because it was not a big issues.

      Like Pavlova’s dog, some people see the word “security” and start drooling in the “shock” region of the brain. Obviously Apple must have analyzed the situation and decided to put it on the back-burner.

    2. Wow, how many iOS users were hacked in this manner? There may have been some, but I did not hear anything and it would have been publicized if it had occurred. The media goes crazy over Apple rumors and would have gone ballistic over a legitimate security story.

      It sounds to me like Apple closed a potential security issue. Many companies do so on a regular basis. I really don’t see a story here. Even the purported Google link is rather lame.

    1. Looked at the linked report.

      It is impressive the number of security threats and issues Android users face.

      What is Dr. Elie Bursztein doing to protect Android users??

      The last page on the report says “Protecting the Irreplaceable”; of course that’s inaccurate because you can get an iPhone and be a lot more secure.

  1. A fairly recent issue of 2600: The Hacker’s Quarterly had an article that described how easy it is to set up a siphon with an Android phone/tablet on a public WiFi access point. Not using tunneled or encrypted sessions on public WiFi’s is inviting pwnage…

  2. RE: “MacDailyNews Note: Dr. Elie Bursztein is a research scientist who works at Google’s Mountain View, Calif. headquarters, where he works on methods to fix Internet security and privacy problems.”

    I wonder if he is also Google’s research scientist who works on methods to track Safari iPhone users without their consent? Oh Google!

  3. Dr. Bursztein says he advised Apple to turn on HTTPS for the App Store iOS app, and now 8 months later, Apple did and he writes on his blog it was only because of him? I don’t see Apple acknowledging that… He sounds more like a self-centered attention whore to me.

  4. Actually, while I’m not defending Apple here, HTTPS slows things down. So performance is an issue. I bet that’s part of why Apple wasn’t using it.

    But still, the fuck were they thinking?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.