Michal Ždanský It's almost alarming how long Apple has left its users, specifically all those who use the App Store, exposed to the potential danger of unencrypted communications between the App Store and the company's servers. Only now has Apple started using HTTPS, a technology that encrypts the data flow between the device and the App Store.
Google researcher Elie Bursztein reported on the problem on Friday blog. Already in July of last year, he discovered several vulnerabilities in Apple's security in his free time and reported them to the company. HTTPS is a security standard that has been in use for years and provides encrypted communication between an end user and a web server. It generally prevents a hacker from intercepting communications between two endpoints and extracting sensitive data, such as passwords or credit card numbers. At the same time, it checks whether the end user is not communicating with the fake server. The security web standard has been applied for some time by, for example, Google, Facebook or Twitter.
According to Bursztein's blog post, part of the App Store was already secured via HTTPS, but other parts were left unencrypted. He demonstrated the attack possibilities in several videos on YouTube, where, for example, an attacker can trick users with a spoofed page in the App Store into installing fake updates or entering a password through a fraudulent prompt window. For an attacker, it is enough to share a Wi-Fi connection on an unprotected network with his target at a given moment.
By turning on HTTPS, Apple has solved many security holes, but it took a lot of time with this step. And even then, he is far from winning. According to company security Qualys she still has cracks in Apple's security over HTTPS and called it inadequate. However, vulnerabilities are not easily discoverable for potential attackers, so users do not have to worry too much.
How kind. Now they could finally hit the speed bump. It's been incredibly slow for several months now.