“Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Last week Apple finally issued a fix for it and turned on HTTPS for the App Store,” Elie Bursztein blogs. “I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users.”
“The Apple App Store and associated applications, such as the Newsstand, are native applications provided by default with iOS to access/purchase content from the Apple App Store,” Bursztein writes. “While the Apple App Store is a native iOS app, most of its active content, including app pages and the update page, is dynamically rendered from server data. The server data is mostly standard web data (HTML/Javascript/CSS) with custom extensions/keywords.”
Bursztein writes, “The following attacks are carried out by an active network attack that is able to read, intercept and manipulate non-encrypted (HTTP) network traffic. Hence those attacks can be carried on any public Wifi networks including airport or coffee-shops networks. Being on the same networks as the victims is all it takes.”
Much more in the full article here.
MacDailyNews Note: Dr. Elie Bursztein is a research scientist who works at Google’s Mountain View, Calif. headquarters, where he works on methods to fix Internet security and privacy problems.