iPhone, iPad Apps Subject To Man-In-The-Middle Attacks

In a talk today at RSA Europe, researchers disclosed a new vulnerablitiy

Known as a HTTP Request Hijacking, researchers from Skycure say they can exploit a weakness in how iPhone/iPad apps access backend servers, allowing them to manipulate the results.

In defending the public disclosure, Skycure's CTO Yair Amit said "Usually we go through responsible disclosure and contact specific vendors of programs, solve it, then talk about it. In this case it's an interesting challenge in that there's a huge amount of applications, too many to have an organized disclosure route, so we give developers the information they need to fix the applications."

According to the Register, "The attack effectively shifts the URL consulted by an application from that used by the developer to whatever the attacker fancies without needing to alert the user. Data expected to be fetched from the backend server will instead feed from the attacker's system, and conversely any information submitted by the app, however personal, will end up in the miscreant's hands."

To fix the issue Skycure will post "a source code fix that can be dropped into applications quickly by developers, and open up a repository of reference material that can be consulted to avoid the problem in the future," the Register said.