“Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Last week Apple finally issued a fix for it and turned on HTTPS for the App Store,” Elie Bursztein blogs. “I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users.”
“The Apple App Store and associated applications, such as the Newsstand, are native applications provided by default with iOS to access/purchase content from the Apple App Store,” Bursztein writes. “While the Apple App Store is a native iOS app, most of its active content, including app pages and the update page, is dynamically rendered from server data. The server data is mostly standard web data (HTML/Javascript/CSS) with custom extensions/keywords.”
Bursztein writes, “The following attacks are carried out by an active network attack that is able to read, intercept and manipulate non-encrypted (HTTP) network traffic. Hence those attacks can be carried on any public Wifi networks including airport or coffee-shops networks. Being on the same networks as the victims is all it takes.”
Much more in the full article here.
MacDailyNews Note: Dr. Elie Bursztein is a research scientist who works at Google’s Mountain View, Calif. headquarters, where he works on methods to fix Internet security and privacy problems.
It is quite shocking that Apple themselves one,didn’t install all available security from the beginning and two, that it took so long to react !
Maybe because it was not a big issues.
Like Pavlova’s dog, some people see the word “security” and start drooling in the “shock” region of the brain. Obviously Apple must have analyzed the situation and decided to put it on the back-burner.
Pavlova’s dog !! I love it. I picture it as a pug.
It was a Maltesa
Wow, how many iOS users were hacked in this manner? There may have been some, but I did not hear anything and it would have been publicized if it had occurred. The media goes crazy over Apple rumors and would have gone ballistic over a legitimate security story.
It sounds to me like Apple closed a potential security issue. Many companies do so on a regular basis. I really don’t see a story here. Even the purported Google link is rather lame.
https://twitter.com/pschiller/statuses/309701667375415297
The timing here wasn’t too convenient.
Looked at the linked report.
It is impressive the number of security threats and issues Android users face.
What is Dr. Elie Bursztein doing to protect Android users??
The last page on the report says “Protecting the Irreplaceable”; of course that’s inaccurate because you can get an iPhone and be a lot more secure.
Sorry, his name is too close to Evil Bursztein.
This guy seems like a good sport.
See, there are no sides to science, just facts and hypotheses.
A fairly recent issue of 2600: The Hacker’s Quarterly had an article that described how easy it is to set up a siphon with an Android phone/tablet on a public WiFi access point. Not using tunneled or encrypted sessions on public WiFi’s is inviting pwnage…
And how should normal people know this? This is amazing. Normal people can’t be expected to know everything. Seems we need much more security.
I’m sure apple had their motive. Security…
And I guess they knew long before Google mentioned last year.
RE: “MacDailyNews Note: Dr. Elie Bursztein is a research scientist who works at Google’s Mountain View, Calif. headquarters, where he works on methods to fix Internet security and privacy problems.”
I wonder if he is also Google’s research scientist who works on methods to track Safari iPhone users without their consent? Oh Google!
He should start to work for Apple.
Dr. Bursztein says he advised Apple to turn on HTTPS for the App Store iOS app, and now 8 months later, Apple did and he writes on his blog it was only because of him? I don’t see Apple acknowledging that… He sounds more like a self-centered attention whore to me.
Actually, Apple did acknowledge him. I wonder how much crap would be thrown at Google by everyone if Google had taken eight months to fix a security hole that they had been alerted to?
Actually, while I’m not defending Apple here, HTTPS slows things down. So performance is an issue. I bet that’s part of why Apple wasn’t using it.
But still, the fuck were they thinking?