HTTP Request Hijacking attack said to be simple to do against Apple IOS apps
Network World - Many Apple iOS applications are vulnerable to a man-in-the-middle attack that can result in permanent manipulation by the attacker, according to start-up Skycure, which released its research findings on this today during the RSA Europe conference.
Skycure CTO Yair Amit says many mobile iOS apps are vulnerable to a “very simple attack that relies on the 301 HTTP Response, a permanent re-direction.” If an Apple iOS app can cache these so-called 301 HTTP Re-Direct Response requests — and many popular iOS apps do, according to Skycure — then the app is vulnerable to being repeatedly hijacked via re-direction to the attacker’s server.
While this general type of man-in-the-middle attack has been known on the Web for many years, for mobile applications the result is worse in that it “persistently changes the URL” of the server and lets the attacker take dynamic control over the app, says Amit. In the information that Skycure is publishing today, the company notes the impact of the attack is basically that instead of loading data from the real site that the user wants to visit, the attacker can make the app permanently load the data from the attacker’s site.
Skycure isn’t releasing the names of the vulnerable iOS apps because this issue hasn’t necessarily been fixed. Amit says according to Skycure’s research, a significant portion of apps available through the official Apple App Store could be attacked this way. The problem is not a vulnerability in iOS itself but a coding weakness on the part of the developer.
Skycure says “HTTP Request Hijacking” of Apple iOS mobile devices such as iPhones and iPads starts with a man-in-the-middle attack, which would typically commence in a public WiFi zone, such as in a coffee shop. While a type of attack like this has been known to happen on the Web between computer-based Web browsers and Web servers for quite some time, the way a similar attack works on mobile devices hasn’t yet been subject to much scrutiny, says Amit.
He adds the implication of such an attack on news or financial information received through iOS devices is troubling.
“In a mobile application, it changes the application,” he says, adding “there’s no easy way to remove the problem.” But Skycure believes there are a number of steps that app developers can take to remediate or mitigate against it.
Among them are making sure the app doesn’t cache a 301 HTTP Re-Direct Response for re-direction. Another is to make sure the mobile device interacts with a designated server via an encrypted protocol, such as HTTPS, instead of HTTP. “If you want your application to behave differently with a server, just release an update,” he suggests. Making changes to apps to correct for this may be somewhat disruptive to the end-user, he adds.
The HTTP Request Hijacking attack on iOS that Skycure has identified may also exist in Android or other mobile-device platforms, but Skycure currently puts its focus primarily on Apple iOS. Skycure believes one danger in this type of man-in-the-middle attack on mobile devices is that it is much less visible to the victimized end-user than the more traditional computer-based form of the attack.
Source: Network World
Android users are probably familiar with the Swype keyboard which basically allows users to type on their phones just by swiping (or “swyping”) between characters versus pecking at individual letters one at a time. In fact one iOS developer has event attempted to port Swype onto iOS devices although it didn’t exactly take off. However it seems that Apple did think about keyboard alternatives back in the day, and thanks to a recent patent that was published, it looks like Apple’s idea was pretty similar to Swype. According to the patent filing, it was filed for back in 2007 which is the same year that the first iPhone debuted, suggesting that Apple was already looking for keyboard alternatives for touchscreen devices back in the day.
However given that it’s 6 years later and the only revision to the Apple keyboard on iOS would be its design, it’s safe to say that Apple decided not to pursue this idea, or other keyboard ideas the Cupertino company and its team might have cooked up then. In any case Apple’s keyboard is more than functional and is pretty accurate as far as onscreen keyboards are concerned.
By default, iOS 7 will track and record places that you visit most often to provide better location-based data such as in the Today summary of Notification Center. If you value your privacy more than you do location-based data, you can turn the feature off. Turning off features like these can also help save a bit of battery life too.
1. Launch the Settings app from the Home screen of your iPhone or iPad.
2. Tap on Privacy.
3. Now tap on Location Services at the top.
4. Towards the bottom of the next screen, tap on System Services.
5. Again, towards the bottom of the next page, tap on Frequent Locations.
6. At the top of the next screen, turn the Frequent Locations option to the Off position.
That’s all there is to it. Locations you travel to most will no longer be tracked. While this comes at the expense of not having as accurate location data in places like the Today Summary screen, it also preserves your privacy better and to a lot of us, that’s more important.
Hot on the heels of a vulnerability that gave snoopers the ability to bypass the iPhone’s passcode in iOS 6 and make calls, view and modify contacts, and even access to photos via the Contacts app, is a new one that allows the entire contents of the handset to by synced with iTunes.
“The vulnerability is located in the main login module of the mobile iOS device [applies to iPhone or iPad] when processing to use the screenshot function in combination with the emergency call and power button,” said Vulnerability Lab, who initially discovered the flaw.
The vulnerability allows anyone with physical access to the iOS device the ability to easily bypass the passcode lock and use a USB cable to get access to the data stored on the iPhone or iPad from a Mac or PC.
Below is a video demonstrating the vulnerability.
This is a very serious vulnerability indeed, as it means that someone could get access to data stored on an iOS device without leaving a trace. While home users might not like the idea of family and friends snooping through their data, it’s businesses who use iPhones and iPads that need to be really worried. This vulnerability means that storing sensitive information on an iOS 6 is not a good idea, and additional steps need to be taken to protect the data.
A security flaw in Apple’s iOS 6.1 lets anyone bypass your iPhone password lock and access your phone app, view or modify contacts, check your voicemail, and look through your photos (by attempting to add a photo to a contact). The method, as detailed by YouTube user videosdebarraquito, involves making (and immediately canceling) an emergency call and holding down the power button twice. We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1. This isn’t the first time this has happened — a very similar bug affected iOS 4.1 and was fixed in iOS 4.2. We’ve reached out to Apple for comment and will update you once we hear back.
Watch this Youtube Video demonstration of the hack.
Source: The Verge
Security researcher and iOS hacker pod2g has found and detailed a flaw in iOS that is considered “severe”, though it does not involve code execution.
According to pod2g “The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4.”
The flaw is found in the SMS messaging on iOS devices. The SMS text is a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. The text is converted to PDU (Protocol Description Unit) by the mobile device and sent through then passed to the baseband for delivery.
PDU handles the sending and receiving of various types of messages in mobile devices. Included in the message header there are various pieces of information about the message, including the details of the message sender. This feature is commonly used for automated messages from companies and carriers. And since carriers don’t check for the validity of this information when used by third-parties it can be exploited.
Because iOS does not allow you to view the number that you’re replying to this enables a malicious sender to fake his identity, making you think that a trusted number is sending the SMS. Because the “reply-to” number is different to the number displayed, iOS would send your message to a hidden number without you realizing.
According to pod2g, he believes the following is why this flaw is an issue:
- • Pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
• One could send a spoofed message to your device and use it as a false evidence.
Source: pod2g’s iOS Blog