An Israeli security firm will expose a flaw common to thousands of iPhone and iPad apps. The security gap allows attackers to carry out attacks Man-in-the-middle.
"We have identified a very large number of applications that are vulnerable to this problem," the CTO said Skycure Mr. Yair Amit at theregister. The error programming will be revealed at the RSA Europe conference in Amsterdam on Tuesday.
"Usually after a disclosure we contact the developers to resolve the issue. In this case it is an interesting one challenge the fact that there is a very large list of applications. So each of them needs a different approach, and we fail to give developers the information they need to fix their apps.”
The researchers at Skycure called the attack [PDF] HTTP Request Hijacking. It mainly works by exploiting weaknesses in the way applications communicate with backend servers provided by developers or any other web sites.
An attacker should intercept an application's attempt to fetch data over HTTP. After intervention the response will be an HTTP 301 that will “say” to program that the requested resource has been permanently moved to another address, the one controlled by the malicious user.
The attack effectively redirects the URL requested by an application to that requested by the attacker without notifying the device owner.