Apple adds HTTPS encryption to App Store

Update comes almost a year after researcher reported several security vulnerabilities
Tools

Apple (NASDAQ:AAPL) has added security encryption to its App Store, almost a year after a Google (NASDAQ:GOOG) researcher brought a vulnerability to the company's attention that allowed users to make unauthorized purchases.

Researcher Elie Bursztein revealed on his blog that he had alerted Apple of numerous security issues last July but that Apple had only turned on HTTPS for the App Store last week. HTTPS is a more secure version of the HTTP standard and is commonly used in commerce and banking.

"While the Apple App Store is a native iOS app, most of its active content, including app pages and the update page, is dynamically rendered from server data. The server data is mostly standard Web data (HTML/Javascript/CSS) with custom extensions/keywords," explained Bursztein. A user only needs to be accessing a shared network such as public Wi-Fi for a malicious party to steal their password, force the user to purchase a different app or upgrade or unknowingly grab sensitive information.

For example, a user attempting to purchase or update an app could become the victim of a man-in-the-middle attack. Without an HTTPS in place, the attacker could swap out the item the user was attempting to purchase and replace it with their own overpriced or malicious app.

Apple first implemented this change for the Chinese version of the App Store late last year. In its list of security updates Apple thanked Bursztein as well as Bernhard Brehm of Recurity Labs and Rahul Iyer of Bejoi.

Apple did not immediately respond to comment on the update.

Earlier this week Apple Senior President of Worldwide Marketing Phil Schiller took a swing at Google's mobile security, after a study revealed that almost 80 percent of mobile malware threats in 2012 targeted Android devices. 

For more:
- see Elie Bursztein's blog post
- see this Cnet story
- see this Great Fire story

Related articles:
Apple exec Schiller takes shot at Android over malware headaches
F-Secure: Android to blame for 79% of all mobile malware in 2012
Apple releases iOS 6.1.3 beta to fix iPhone lockscreen vulnerability
Apple patches Exchange bug with iOS 6.1.2, still no fix for lockscreen exploit
Apple confirms iOS 6.1 lockscreen glitch, iPhone 4S battery drain persists
Apple's $100M settlement over kids' use of IAPs sparks online outrage

Comments