Researchers from device security firm Skycurehave unearthed an unnerving vulnerability in iOS that can be used to hijack a number of apps when used on an insecure Wi-Fi network. And it might not just be an iOS issue, either.
“Most mobile apps do not visually indicate the server they connect to,” says Skycure, “making HRH attacks seamless, with very low probability of being identified by the victims.”
At its core, the attack is essentially a variant on a standard man-in-the-middle attack. If an app is used on an insecure Wi-Fi network, an attacker can intercept requests sent by the app, reply to the requests with a 301, and trick the app into being redirected to a hostile server.
This is bad enough, but iOS apps have a behavior quirk that makes them particularly vulnerable to the attack: Whenever they receive a 301 redirection request, that request is cached indefinitely. In other words, once an attacker uses a request hijack on an iOS app, its requests are redirected continuously to the hostile server until the cache is cleared … and the user may never know about it.
HRH attacks do require a few conditions to be met before they can be pulled off successfully. Most crucially, they need to be “physically near the victim for the initial poisoning,” meaning that the attacker has to know where the user is connecting via Wi-Fi and hijack that specific connection.
Skycure has declined to name specific apps that are affected by this bug, as part of its responsible disclosure policy. Instead, the company has created a sample application that demonstrates the problem in action, along with a short video demonstrating the hijack. Most importantly, Skycure has published code in its article that allows concerned iOS developers to fix the problem quickly.
The New York Times Bits Blog was one of the first third-party sources to spread the word, noting that the same researchers also found another iOS-related security issue, back in 2012, in which LinkedIn’s iOS app turned out to be leaking sensitive information when it collected meeting details from users’ iOS calendars. LinkedIn has long since fixed that problem, but more recently it’s come under fire yet again for another iOS app, LinkedIn Intro.
In a final note to its post, Skycure adds that “HRH isn’t necessarily a problem of iOS applications alone; it may apply to mobile applications of other operating systems too.” In the abstract, the mechanism of an HRH attack isn’t specific to iOS. If another platform — Android, for instance — behaves the same way in caching 301 requests, the same attack could conceivably be performed there as well.
Let’s hope that’s not the case — but better yet, let’s find out if it is true and do something about it.