Researchers warn of apps vulnerable to persistent HTTP attacks


There are only so many times we can warn you not to connect to unknown WiFi networks, but just for good measure: don’t connect to unknown WiFi networks. While doing so may be innocent more often than not, there’s always the risk that the owner access point is using it to some nefarious end – heck, maybe the AP owner himself has had his hardware hijacked, and is wholly unaware of any shady business. Today we hear about the latest attack on mobile apps that might be carried out through such a vector, potentially turning your news reader or stock ticker app against you.

While the researchers at Skycure present this as an iOS problem, it’s isn’t necessarily exclusive to the platform. The issue is tied to the HTTP 301 Moved Permanently response, which servers can use to seamlessly redirect users after data is relocated. By hijacking your session, an attacker could insert such a response as an app attempted to connect to a remote server, redirecting it to a malicious server in the process.

For an app that pulls data to display via HTTP, this vulnerability could be used to replace that info with anything of the hacker’s choosing, delivering false information to the hapless user.

This is also a problem for web browsers in general, but it’s a bit more insidious with apps, since you can’t simply look in the address bar to see which URL is being pulled up – once that 301 response is cached and this malicious server info is saved to your phone, an app’s not going to know the difference, and keep on pulling down that compromised data without clueing you in as to what’s going on.

The workaround seems to be either ignoring those 301 responses, not caching them, or at least alerting users to when apps aren’t connecting to their default servers.

Source: Skycure
Via: Consumerist

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!