Public Wi-Fi networks are notoriously insecure, and now there’s this: Mobile security researchers have discovered a new way for attackers to access mobile phone apps from Wi-Fi networks.
On Tuesday, mobile security researchers will demonstrate a simple attack that exploits a vulnerability in the code within apps that run on Apple’s iOS operating system. The vulnerability allows attackers to persistently alter the server URL from which a mobile app loads its data, so that instead of loading data from realserver.com, for instance, the attack makes the app load data from attacker.com, without the victim knowing. Attackers could use that data to load malicious links, or insert fake, market-moving news into a news app.
The researchers from Skycure, a mobile security company, said that in the past they had alerted app makers to a vulnerability before making it public. In this case, however, they said such responsible disclosure was all but impossible because the vulnerability was present in hundreds of apps they tested, including stock management and news apps. They declined to name the apps affected for fear attackers would use the knowledge and exploit it. (However, the Skycure researchers said The New York Times app was not affected.)
“The vulnerability affects so many apps that it’s virtually impossible to alert app makers,” said Yair Amit, Skycure’s chief technology officer.
The researchers put together a short video demonstrating how attackers can manipulate an app. They use what is called a 301 directive to redirect the traffic flow from an app to an app maker’s server to the attackers’ server.
The same researchers uncovered a separate vulnerability last year in which LinkedIn was pulling members’ calendar entries on iPhones and iPads — including details about meeting locations, participants, dial-in information, passwords and sensitive meeting notes — back to its servers. Following disclosure, LinkedIn tweaked its code to stop taking notes from private calendar appointments.