By Prarthito Maity email: firstname.lastname@example.org | Mar 09, 2013 11:26 AM EST
Apple’s App Store vulnerability has been in news for a while, and although the problem has been overshadowed by other different issues, a fix was still was still pending for the vulnerability. Now it seems like Apple has taken a serious note of it and there’s more to follow up on that.
Per reports, Apple has eventually fixed a certain security flaw in its application store that for has allowed attackers to steal passwords and install unwanted or extremely expensive applications for some time now.
The problem in the App Store was first noticed back in July when a security researcher at Google discovered a boatload of vulnerabilities in Apple's App Store that grew bigger due to Apple's failure to implement HTTPS encryption.
However, six months later, Apple finally started making use of HTTPS in the App Store (as mentioned in the 2013-01-23 update), and now Elie Bursztein, the researcher, has recently released his findings and the issues that could have created a massive upset for iOS users if the exploits became widely utilized.
“Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Last week Apple finally issued a fix for it and turned on HTTPS for the App Store. I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users,” Elie Bursztein states in his blog. “This post discuss the vulnerabilities I found. As a bonus, I made several video demos of the attacks described in this post so you can see by yourself how dangerous not having full HTTPS is.”
Basically, the flaw came into being because Apple didn’t use encryption when an iPhone or other mobile device tried to connect to the App Store. What that meant is that an attacker could hijack the connection.
Moreover, in addition to a security flaw, the unencrypted connections also created privacy vulnerability as the complete list of applications installed on the device were disclosed over Wi-Fi.
“An Apple representative declined to respond to questions from CNET this morning, including a query about why it took so long to fix this particular vulnerability,” CNET wrote.
© 2013 Mobile & Apps All rights reserved. Do not reproduce without permission.