By Stephen Schenck | October 29, 2013 4:05 PM
There are only so many times we can warn you not to connect to unknown WiFi networks, but just for good measure: don’t connect to unknown WiFi networks. While doing so may be innocent more often than not, there’s always the risk that the owner access point is using it to some nefarious end – heck, maybe the AP owner himself has had his hardware hijacked, and is wholly unaware of any shady business. Today we hear about the latest attack on mobile apps that might be carried out through such a vector, potentially turning your news reader or stock ticker app against you.
While the researchers at Skycure present this as an iOS problem, it’s isn’t necessarily exclusive to the platform. The issue is tied to the HTTP 301 Moved Permanently response, which servers can use to seamlessly redirect users after data is relocated. By hijacking your session, an attacker could insert such a response as an app attempted to connect to a remote server, redirecting it to a malicious server in the process.
For an app that pulls data to display via HTTP, this vulnerability could be used to replace that info with anything of the hacker’s choosing, delivering false information to the hapless user.
This is also a problem for web browsers in general, but it’s a bit more insidious with apps, since you can’t simply look in the address bar to see which URL is being pulled up – once that 301 response is cached and this malicious server info is saved to your phone, an app’s not going to know the difference, and keep on pulling down that compromised data without clueing you in as to what’s going on.
The workaround seems to be either ignoring those 301 responses, not caching them, or at least alerting users to when apps aren’t connecting to their default servers.