Last July, a Google security researcher discovered a number of vulnerabilities in Apple’s App Store stemming from the company’s failure to use HTTPS encryption. Now some six months later, Apple has started using HTTPS encryption, and the researcher has publicly shared some of the issues users could have been inflicted with if hackers had utilized the exploits.
As Elie Bursztein describes in his blog, the lack of App Store encryption could have let malicious users hijack an iOS user’s password, force users to download different apps than ones they mean to, prevent app installs altogether, or manipulate app upgrades so users would install different apps than they meant to.
The app-swapping exploits could have led users to purchases apps when intending to download free ones. A exploit like this would require the bad guy to be on the same Wi-Fi network as the iOS user, but that’s not hard to imagine in today’s world of free Wi-Fi in Starbucks, airports, and even Sam’s Clubs.
The password-theft vulnerability is the one that should freak out users the most. As we’ve learned in the past, hackers can do some real damage if they have control of a user’s Apple ID.
What’s really sad is that it took Apple six months to fix this. Bursztein says he reported his findings to Apple back in July of 2012. Apple didn’t turn on HTTPS encryption until the end of January 2013.
If that’s not scary enough, the App Store ran for years without HTTPS encryption being enabled. It’s pure luck that awareness of the hole never came to the attention of the bad guys. That we know of.